CRM 2013 Front End Server on DMZ (for IFD) RRS feed

  • Question

  • Hi there MSCRM community/experienced implementers,

    We're trying to implement CRM 2013 (On-Prem) configured with Internet-Facing Deployment (IFD).

    Our server scenario/setup (see attached image (Fig. 1)):

    • 1 CRM Front-End Server (currently on DMZ)
    • 1 CRM Back-End Server
    • 1 AD FS Server (currently on DMZ)
    • 1 SQL Database Server

    The CRM 2013 Server Roles are NOT yet installed, and we’re about to.

    The server (let’s call it CRMfrontend) where we will install the Front-End Server Role is on DMZ (perimeter network).

    The server that will serve as AD FS Server is also on DMZ.


    1. How do I install the CRM 2013 Front-End Server Role to my CRMfrontend server if it’s on DMZ?

    Because per requirements, the CRM Installation Account and Service Accounts are/must be members of the Active Directory Domain User group.

    2. How do we implement/configure IFD if our CRM Front-End and AD FS Servers are on DMZ? How do they communicate with the internal servers?

    Fig. 1 - VM Server Setup

    Any input is greatly appreciated.

    Thanks for your time and help!


    Friday, June 13, 2014 10:27 AM

All replies

  • Given the number of ports that have to be opened up between CRM servers, SQL servers and Domain controllers I'm not a fan of putting CRM servers in DMZs. I think it considerably complicates networking without necessarily improving security.

    I would have everything behind a decent firewall with just the relevant ports open, probably just 443 for https access to the CRM website and the ADFS server.

    Monday, June 16, 2014 11:34 AM
  • In principle I'm happy with the idea of putting CRM servers in a DMZ, but only if you have at least 2 front-end servers - one in the DMZ for external access, and one in the internal network for internal access. If you just have the one front-end server, then internal users have to connect out to the DMZ, which I'd try and avoid. Simialrly I'd want to have an internal and an external ADFS server.

    The other consideration is the location of a Domain Controller. The ADFS server will have to communicate with a DC, so you'll either have to put a DC in the DMZ, or open the ports to allow AD communicate between the networks. All other communication between networks will be via https

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Monday, June 16, 2014 1:00 PM