locked
IFD RRS feed

  • Question

  • Dear all,

     Just for the sake of knowledge.

    I had a debate with my colleague about useing IFD tool to set the CRM to be used form the internet VS only implement the CRM on a server with external IP address.

    Both cases I saw working and allowing the user to access the CRM from the internet

    But is there is any difference regarding the security if used the IFD configuration tool or not?

    Thanks


    Yataplus
    Wednesday, April 21, 2010 9:29 PM

Answers

  • http://rc.crm.dynamics.com/rc/regcont/en_us/OP/articles/ifd_common_issues.aspx

    Microsoft Dynamics CRM uses Integrated Windows authentication to authenticate internal users. Integrated Windows authentication implements pass-through authentication functionality so that Microsoft Dynamics CRM users are not prompted a second time to log in to Microsoft Dynamics CRM after their initial sign on to the Active Directory network.

    Configuring IFD for Microsoft Dynamics CRM enables access to Microsoft Dynamics CRM from the Internet, outside of the company firewall, without using a VPN solution. Microsoft Dynamics CRM configured for Internet access uses forms authentication to verify credentials of external users. When configuring Microsoft Dynamics CRM for Internet access, Integrated Windows Authentication must remain for internal users.

    My 2 cents

    If you look into the history of CRM , the value of IFD is unchallengeable :).

    With IFD you must connect with the correct DNS.

    With IFD you must have a valid ticket

    IFDRootDomainScheme can be set to http/https

    Certain services won't work over IFD.

    If you are over the net certain features requier IFD/Outlook client.

    etc...


    SJ
    • Marked as answer by Jim Glass Jr Monday, May 10, 2010 2:58 PM
    Monday, April 26, 2010 2:03 PM

All replies

  • Hi,

    I think you should read this to get a better idea about the available options and the best solution.

    Hope this helps.

     

    Thanks.

     

     


    Cheers, Edwin
    Thursday, April 22, 2010 5:53 AM
  • Thank you Edwin for your reply

    Actualy it's usefull information in the link you point to which some of it I Already read trying to end the debate.

    I'm glad to see other pepole think the way I do and they would choose IFD configuration tool to set put crm to the internet

    But in that post or other deep search I did hunting the answer I didn't get the reasons why useing IFD is recommened and secure and the the 3rd option in 'Greg At Fox' post is not secure?

    (adoption) 3.Make CRM site public. Expose the CRM site to the internet, use SSL to encrypt it, users prompted to login with domain credentials (all users will have domain credentials, even if they've never been to the office). We do this with sharepoint already.

    Thanks


    Yataplus
    Thursday, April 22, 2010 6:30 AM
  • Yataplus,

    There are certain things which are supported by MS and not supported by MS.

    In this way, making the CRM site public is not supported  - eventually we cannot get support from them or any forums/ community incase if we ran into some issues.

    Possibly this is why IFD is always strongly recommended.

    Maybe, the community experts here could give us a better reason - Lets's Check

    Thanks.

     

     

     


    Cheers, Edwin
    Thursday, April 22, 2010 6:47 AM
  • As I see it, there is only one scenario when IFD offers a significant security benefit over directly making the CRM site public. This scenario is when you have multiple CRM servers for the same deployment, with one or more dedicated to handling IFD requests, and others for internal requests. You could use DNS confguration to direct external requests to the IFD server(s) only, and lock those servers down more tightly than the internal servers (which you could be confident would never handle external requests).

    There are 2 other considerations that may or may not be relevant:

    1. IFD uses Forms Authentication, which includes session timeout. This can be considered a benefit if users connect via public machines
    2. IFD separates different CRM organisations at the DNS level. This provides an additional level of isolation (from a client-script perspective) between organisations in a multi-tenant environment

    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, April 22, 2010 6:53 AM
    Moderator
  • Thanks again Edwin and Thank you David for the 2 points.

    The 1st point is indeed a security enhancement that should be available

    I'm sure it will help me with my case but to win the case it's not enough specially if we are talking about one organization I also believe that exposing servers to the internet is a security breach and if configuring IFD useing the configuration tool not adding any further security to the server then both scenarios are almost the same security point of view and has a lot to be done for security specially if we looked at the ports we need to open for the CRM to function properly in both scenarios.

     

     

     


    Yataplus
    Thursday, April 22, 2010 11:08 AM
  • Yataplus

    You're right. Ultimately there's very little difference between the 2 scenarios in terms of ongoing activity. A different authentication process is used, but after that clients are still connecting directly to the same server, using the same ports and same data encryption.

    If you want to tighten security further, I'd suggest looking at the MS Server product IAG / UAG (v. 2007 was called IAG (Intelligent Application Gateway), and v. 2010 is now UAG (Unified Access Gateway). There are a couple of MS whitepapers about using them with CRM:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=742701FF-574E-450A-BDEB-CF12A2AE4206&displaylang=en&displaylang=en

    https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=47ee7f73-6059-4b20-a305-1b8b2b23f0e9

    David

     


    Microsoft CRM MVP - http://mscrmuk.blogspot.com  http://www.excitation.co.uk
    Thursday, April 22, 2010 11:47 AM
    Moderator
  • sorry but can i ask why you want to make crm online
    Thanks for any help :) my blog is: http://www.waelk.com
    Sunday, April 25, 2010 5:56 AM
  • http://rc.crm.dynamics.com/rc/regcont/en_us/OP/articles/ifd_common_issues.aspx

    Microsoft Dynamics CRM uses Integrated Windows authentication to authenticate internal users. Integrated Windows authentication implements pass-through authentication functionality so that Microsoft Dynamics CRM users are not prompted a second time to log in to Microsoft Dynamics CRM after their initial sign on to the Active Directory network.

    Configuring IFD for Microsoft Dynamics CRM enables access to Microsoft Dynamics CRM from the Internet, outside of the company firewall, without using a VPN solution. Microsoft Dynamics CRM configured for Internet access uses forms authentication to verify credentials of external users. When configuring Microsoft Dynamics CRM for Internet access, Integrated Windows Authentication must remain for internal users.

    My 2 cents

    If you look into the history of CRM , the value of IFD is unchallengeable :).

    With IFD you must connect with the correct DNS.

    With IFD you must have a valid ticket

    IFDRootDomainScheme can be set to http/https

    Certain services won't work over IFD.

    If you are over the net certain features requier IFD/Outlook client.

    etc...


    SJ
    • Marked as answer by Jim Glass Jr Monday, May 10, 2010 2:58 PM
    Monday, April 26, 2010 2:03 PM
  • Hi, Sorry for late question.

    But If I use UAG to publish Internal CRM (w/SSL enable), I have to use and set also IFD for internal CRM server?

    Thx,

    Brahim. 



    BrahimH
    Tuesday, January 25, 2011 4:01 AM