locked
CRM 2011 on premise: To DMZ or not to DMZ ? RRS feed

  • Question

  • Hi all,

    I've searched high and low for the best answer, but I really need some input on this.

    Currently I am runnning an IFD 2 server setup with CRM & SQL on one server and ADFS on the other. This has been used so far for development and proof of concept. We've exposed the ADFS & CRM using HTTPS through TMG

    I am now planning and documenting the requirements for production, and was actually working on a setup with AD, SQL, Front-end, Back-end, ADFS internally and then another front-end and ADFS proxy in the DMZ. Giving 5 servers beside the AD/SQL servers.

    But out IT manager does not like to expose the AD externally, and I then stumbled on a thread from 2009 (CRM 4) where Joel Lindstrøm said:

    "The important thing to remember is that to make IFD work, you only have to expose port 443 (SSL) on the CRM server to the internet, so you should be secure without a DMZ, as the only thing that will touch the internet is port 443, and that will be secured with your cert."

    I see the point here - either we

    A) Open ports between DMZ and internal network for: SQL, SSRS, AD, ADFS(HTTPS)

    or

    B) We open for HTTPS to our internal network for the two servers: MS CRM & ADFS

    With B we could start out with 2 servers instead of 5 (we are talking about no more than 50 user logged in at the same time).

    So, do you agree that B would be a "secure enough" approach? Or do we need to look into AD DA / RODC's in the DMZ as well (sigh!).


    Best regards
    Nicolai W Hjorth
    --
    Please vote as helpful / mark as answer where appropriate ;)


    Thursday, May 30, 2013 8:50 AM

Answers

  • It does mostly depend on what is considered to be "secure enough". The main extra threat you expose yourself to with option B is a DoS (Denial of Service) attack on your CRM or ADFS server. DoS attacks are targeted, rather than indiscriminate, so the only reason to consider them to be a significant risk is if you expect someone to have the desire and wherewithal to specifically target your organisation


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, May 30, 2013 10:23 AM
    Moderator

All replies

  • It does mostly depend on what is considered to be "secure enough". The main extra threat you expose yourself to with option B is a DoS (Denial of Service) attack on your CRM or ADFS server. DoS attacks are targeted, rather than indiscriminate, so the only reason to consider them to be a significant risk is if you expect someone to have the desire and wherewithal to specifically target your organisation


    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, May 30, 2013 10:23 AM
    Moderator
  • Hi David,

    Thank you very much

    DoS is not a threat towards us so we'll start with B for now. 


    Best regards
    Nicolai W Hjorth
    --
    Please vote as helpful / mark as answer where appropriate ;)

    Tuesday, June 11, 2013 11:26 AM