locked
What ports must I open in firewall for Internet Facing Deployment (IFD)? RRS feed

  • Question

  • I have CRM 2011 installed on one server and AD FS 2.0 installed on another and everything is working correctly internally. I created the same CNAMES with my domain registrar (Network Solutions) and created NAT routes for the public IPs: one pointing to CRM using TCP 443 and one pointing to ADFS using TCP 443. Both CRM and ADFS are installed using the default web sites so they have ports 80 and 443 as well as both are configured with a wildcard cert from Go Daddy. Again, it works perfectly inside the network, but when trying to connect externally I get 'The web page cannot be displayed'. I feel I am not allowing something through correctly on my Sonicwall firewall to allow authentication with ADFS so it is unable to authenticate. Can someone please tell me what services and ports are required to be routed through the firewall and to which server (CRM or ADFS) they must be routed to?

    Thank you.


    Jeffrey Frasco

    Thursday, March 1, 2012 9:58 PM

Answers

  • The IG will list out all the ports used by CRM (there are several).

    However, the client should only be using port 80 or 443 to communicate with ADFS and CRM.

    When you connect from outside, do you even reach ADFS?  Do you see any redirection happening in the browser?

    Have you checked the Internet Connection Firewall on the servers to see if they allow this traffic inbound from an outside zone?  There are 3 different zone in ICF.

    If this fails, I would try to use a packet sniffer such as wireshark or fiddler to what servers you are reaching,and what their response is.  You can also get ports that are being used from some of these sniffers. You may need to install the certificate for fiddler to view the secure traffic.


    Jason Peterson

    • Marked as answer by jcfrasco Monday, March 5, 2012 2:04 PM
    Thursday, March 1, 2012 10:25 PM

All replies

  • The IG will list out all the ports used by CRM (there are several).

    However, the client should only be using port 80 or 443 to communicate with ADFS and CRM.

    When you connect from outside, do you even reach ADFS?  Do you see any redirection happening in the browser?

    Have you checked the Internet Connection Firewall on the servers to see if they allow this traffic inbound from an outside zone?  There are 3 different zone in ICF.

    If this fails, I would try to use a packet sniffer such as wireshark or fiddler to what servers you are reaching,and what their response is.  You can also get ports that are being used from some of these sniffers. You may need to install the certificate for fiddler to view the secure traffic.


    Jason Peterson

    • Marked as answer by jcfrasco Monday, March 5, 2012 2:04 PM
    Thursday, March 1, 2012 10:25 PM
  • So the only port I need to be worried about opening in my Sonicwall firewall is HTTPS 443 for both CRM and ADFS? 

    In order to make sure nothing was interferring with my installation I disabled the internal firewall on both servers so I know that is not the problem.

    When I enter the url for crm (format https://crm.mydomain.com) external to the firewall I don't see a redirect to authenticate with ADFS. Could there be an issue internally with my DNS entries since I have the same domain internally and my local DNS server is pointing to a private IP address (example adfs.mydomain.com = 192.168.xxx.8) that would make it try to redirect to my private IPs instead of the public IP I configured? If so that might mean why it works internally but not externally--just a thought.

    As for a packet sniffer how would I use it to test the redirection to ADFS?

    Thank you for your prompt reply.


    Jeffrey Frasco

    Thursday, March 1, 2012 11:04 PM
  • Hi,

    You need to open two ports in your firewall 1. ADFS and 2. CRM.

    Port no's depends on your configuration. If you select 443 for ADFS and 444 for CRM then you need to enable 443 and 444 ports in your Sonicawall Firewall.

    Regards,


    Khaja Mohiddin
    http://www.dynamicsexchange.com
    http://about.me/KhajaMohiddin

    Friday, March 2, 2012 3:18 PM
  • Thank you all for your responses. I worked on this over the weekend and I resolved the issue and after doing more troubleshooting I found that I had actually not configured my access rule on the firewall correctly so nothing was getting through. For anyone having similar questions about what ports to open this is exactly what worked for me.

    - Create names for CRM and ADFS with your domain registrar so the public IPs (or IP if you created them on the same server) point to your firewall.

    - Create NAT routes for the public IPs to the internal IPs of the respective server (or IP if CRM and ADFS is on the same server using different ports for HTTPS) using HTTPS.

    - Make sure to create firewall rule allowing the traffing through from WAN to LAN (use firewall's guide to this).

    I found that nothing else needed routed through the firewall other than HTTPS (or HTTP if using that but it is highly not recommended).

    Thanks again for all replies.


    Jeffrey Frasco

    Monday, March 5, 2012 2:04 PM