CRM 2011 IFD
Question
All replies
-
Daminan/Khaja,
Thank you so very much for taking your time and trying help; i have done all the changes that you guys recomended with no luck yet. I am posing the updated configuration below again. Please give a look and let me know if you see anything that I can change to make the IFD working from out side of our institution.
1. How did you configure ADFS URL? Sts.mydomain.com
2. You have the above added two host names. I removed the extra rule
3. Is CRM5 organization? yes Org name is CRM5 and the host server name is vCRM5-SVR
4. You dont need to add Internal CRM host in TMG, because you will not use the Internal CRM URL externally. Dont understand what you mean; should I remove the part that sys To: under rules
5. On which port you have configured ADFS? 444 I have added additional Listener
6. Bridging for Auth and Dev should be 443 not 444.
I have diabled the redirecting from http to https and removed an extra TMG rule. Also, I'm including the errors and a few snapshots below:
Environment setup:
CRM Server: Host Name: crm5-svr IP: 10.40.50.10 CRM Org Name; CRM5
IIS setup:
AD Domain Name: mydomain.Internal
Default site is assigned to ADFS on port 444
Second site is assigned to CRM on port 443
Internal to our LAN everything is working as expected users can go to:
Internally all the following DNS are point to our CRM/ADFS server ( 10.40.50.10)
Externally all the Following DNS are pointing to only one public address
Crm5.mydomain.com
Dev.mydomain.com
Auth.mydomain.com
Sts.mydomain.com
Adfs.mydomain.com
Intcrm.mydomai.com
Forefront TMG 2010 with SP2
Listener name: CRM-Listener1
Connections: Https (port 443) Enabled ,
Client Authentication method: No Authentication
Certificates: Assign a certificate for each IP address- the public IP and related wildcard cert purchased from Digicert.
Listener name: CRM-Listener2
Connections: Https (port 444) Enabled
Client Authentication method: No Authentication
Certificates: Assign a certificate for each IP address- the public IP and related wildcard cert purchased from Digicert.
TMG Rule 1. Rule name: CRM Org
From: Anywhere
To: crm5.mydomain.com
Computer name or IP address: 10.40.50.10
Forward all original host headers … Checked
Request appear to come from original client Selected
Listener: CRM-Listener1
Public Name: crm5.mydomain.com
Path: /*
Authentication Delegation: No delegation, but client may authenticate directly
Bridging: Redirect requests to SSL port 443
TMG Rule2: CRM-Sts
From: Anywhere
To: sts.mydomain.com
Computer name or IP address: 10.40.50.10
Forward all original host headers … Checked
Request appear to come from original client Selected
Listener: CRM-Listener2
Public Name: sts.mydomain.com
Path: /*
Authentication Delegation: No delegation, but client may authenticate directly
Bridging: Redirect requests to SSL port 443
TMG Rule3: CRM-Auth
From: Anywhere
To: auth.mydomain.com
Computer name or IP address: 10.40.50.10
Forward all original host headers … Checked
Request appear to come from original client Selected
Listener: CRM-Listener2
Public Name: auth.mydomain.com
Path: /*
Authentication Delegation: No delegation, but client may authenticate directly
Bridging: Redirect requests to SSL port 443
TMG Rule4: CRM-Dev
From: Anywhere
To: Dev.mydomain.com
Computer name or IP address: 10.40.50.10
Forward all original host headers … Checked
Request appear to come from original client Selected
Listener: CRM-Listener2
Public Name: Dev.mydomain.com
Path: /*
Authentication Delegation: No delegation, but client may authenticate directly
Bridging: Redirect requests to SSL port 443
I get this when i try to brows to the website:
Technical Information (for support personnel)
- Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)
On the TMG side:
Allowed Connection
2/6/2012 11:49:50 PM
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: CRM IFD
Source: External (99.69.199.220:52070)
Destination: Local Host (adfs.mydomain.com 10.31.2.79:443)
Request: GET http://crm5.mydomain.com/
Filter information: Req ID: 0b48841f
Protocol: https
User: anonymous
<wrap type="none"></wrap><anchorlock></anchorlock><//span>
Denied Connection
FW-SVR 2/6/2012 11:49:50 PM
<id id="L_LogPane_LogType"></id> Log type: </id><//id><id id="L_LogPane_WebProxyForward"></id>Web Proxy (Reverse)
</id><//id><id id="L_LogPane_Status"></id> Status: </id><//id>12217 The request was rejected by the HTTP filter. Contact your Forefront TMG administrator.
<id id="L_LogPane_Rule"></id> Rule: </id><//id>CRM Sts
<id id="L_LogPane_Source"></id> Source: </id><//id>External (99.69.199.220:52071)
<id id="L_LogPane_Destination"></id> Destination: </id><//id>Local Host (96.61.198.67:443)
<id id="L_LogPane_Request"></id> Request: </id><//id>GET http://sts.mydomain.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcrm5. mydomain.com %2f&wctx=rm%3d1%26id%3daea16088-e556-4b64-a24b-fafba13947f0%26ru%3dhttps%253a%252f%252fcrm5. mydomain.com %252fdefault.aspx&wct=2012-02-07T04%3a50%3a39Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword
<id id="L_LogPane_FilterInfo"></id> Filter information: </id><//id>Req ID: 0b488422; Blocked by the HTTP Security filter: URL normalization was not complete after one pass
<id id="L_LogPane_Protocol"></id> Protocol: </id><//id>https
<id id="L_LogPane_User"></id> User: </id><//id>anonymous
- Edited by Essi22 Tuesday, February 7, 2012 5:00 AM
