Calling Synchronous Web Service that's behind firewall (i.e. not publicly exposed) from MS CRM Online RRS feed

  • Question

  • We are planning to migrate to MS CRM Online. Although it will be an Online deployment of MS CRM, but the CRM application will be accessed by people from with in the office network only.

    We have a scenario in which a plugin that will be hosted on MS CRM Online need to invoke a synchronous web service that is deployed on-premise (behind the firewall, only accessible via VPN or from within the office network).

    What options do we have to connect to such synchronous on-premise web service from a plugin on MS CRM Online?

    Thursday, July 4, 2013 9:57 AM

All replies

  • Plugins in CRM Online can only use HTTP or HTTPS, so you can't use a VPN, and would have to open either port 80 or 443 on the firewall. The normal way to sensibly restrict the incoming traffic would be by source IP address; however I'm not aware that Microsoft publicise the IP address and/or guarantee it will stay the same.

    An alternative could be to host the web service in Azure

    Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk

    Thursday, July 4, 2013 12:51 PM
  • Thanks David for the prompt response.

    So in Windows Azure, there are two options to access the on-premise synchronous and secure web services:

    1. Exposing on-premise synchronous web service using Service Bus Relay? What are the security implications for this approach?
    2. Create a wrapper web service around on-premise synchronous web services and host that wrapper web service in a Windows Azure VM / Web Role (the VM/Web Role will be connected to on-premise using site to site connectivity i.e. VPN b/w Windows Azure and on-premise data center). Once that wrapper is created then how to secure that wrapper web service such that it's only accessible by MS CRM Online and not publicly available?

    Which option is typically used in such scenarios and what are the trade offs? Are there are any walkthrough articles available online that cover this scenario?

    Thursday, July 4, 2013 1:13 PM
  • I would suggest option #2 (wrapper service hosted in Azure). Take a look at this blog post for some thoughts on authentication between the CRM Online plug-in and the wrapper service: http://blogs.msdn.com/b/devkeydet/archive/2013/03/13/authenticating-to-an-azure-hosted-web-service-from-crm-online-sandbox-code.aspx

    Lucas Alexander
    Blog - http://www.alexanderdevelopment.net
    Twitter - http://twitter.com/lucas_is
    Rockstar 365 - http://rockstar365.com/lucas_is

    • Edited by Lucas Alexander Monday, July 8, 2013 2:44 AM fixed garbled signature
    Monday, July 8, 2013 2:41 AM