How can remote CRM 4.0 outlook client users access the application from their remote, non-domain PCs RRS feed

  • Question

  • I have a question pertaining to how to implement a CRM 4.0 application into our organisation and specifically our network environment across the world.
    We have a particular scenario for letting users access CRM, which we can't figure out an adequate soltuion to.

    Some background...
    We plan to host our own CRM system so for users on our WAN, access to it will be fine. Users can use the web or outlook client.
    For users in offices not on our WAN but on foreign networks, they traditionally access our LAN by using our portal (Microsoft's Internet Application Gateway). That is, users log onto the portal, and if their machine is permitted (i.e. it is approved hardware, has approved software and is appropriately configured) they are able to connect to our LAN.

    These users on foreign networks work on machines not associated with any domain, but belong to a workgroup with a standard name. (The offices they work in are remote and small so have no domain controllers in. In addition, network connectivity is often poor and unreliable). This standard name (and a few other things) are assessed to determine if they are allowed to connect to our LAN.

    Once on the LAN, they are, for example, able to connect to CRM using the web client (though the first time in their IE session they browse to it, they will be prompted to enter a domain account. (Obviously they need to enter a valid domain account in order for CRM to authenticate them).

    The problem is with the users of the outlook client (Office 2003). If they are connecting to our LAN with machines in a workgroup, when on our LAN, how are they able to connect (or even configure CRM) as they are given no such prompt?

    We have considered a few options but none are satisfactory yet. The simple answer would be to add these machines to the domain but for several reasons this is a large and complicated task affecting many users in remote offices across the world. We have had a few suggested possibilities (ADFS, CRM in an internet-facing configuration, using a specific configuration of IAG with the outlook client), but none seem to be appropriate.

    The internet facing option seems to be the best one but we do not want to put CRM on the internet - but presumably we don't need to.

    Has anyone got any suggestions for a solution to this problem?


    Tuesday, August 4, 2009 2:51 PM


  • Assuming that when your users connect using IAG they receive an ip address in a different sub net than the users who are on the LAN already, I believe you can set up your IFD so that users on the LAN connect using integrated authentication and everyone else connects via forms based authentication.  As long as your CRM web site isn't hooked to the server's external ip address, your CRM will not be exposed to the outside world.

    I have not tested this, but it seems to make sense.
    • Marked as answer by Jim Glass Jr Monday, August 10, 2009 2:54 PM
    Thursday, August 6, 2009 7:51 PM