locked
Questions on multi-tenant environment and access to CRM (CRM 4.0) RRS feed

  • Question

  • Hi,

     

    I've been reading the planning and deployment guides for service providers, but I'm still a bit confused about how customers actually would access CRM. Let's say you have a SP that host both CRM and Exchange and has 2 types of customers.

     

    Customer A has his own mail solution. Can he install the Outlook client, if they have Exchange , on their computers to access CRM? How do the users log in to the CRM?

    I assume users at customer A  can use the web client also using a URL like this: https://customerA.crm.serviceprovider.com


    Customer B has an Exchange account with the SP. If he has access to Outlook, using Citrix, I assume he can use the Outlook client?

    Can he use Outlook Anywhere with the Outlook client using RPC over HTTP?

    Is the Outlook client available in Outlook Web Access?

    A fall back would always be the web client using https://customerB.crm.serviceprovider.com.


    Any other methods of accessing the CRM in a multi-tenant environment that I've missed?

    For both customers I assume that the e-mail router should be used? (as this is recommended in the docs...)

    Tuesday, June 17, 2008 12:28 PM

Answers

  • If they are sending all mail in Outlook, they do not have to run the email router--individual Outlook clients can promote emails to crm without the router.  The router is required if you want to centrally manage the routing or if you want to send email from the web client.

     

    Exchange is also not required, as you can use POP3 mail as well.

     

    Another option for deploying CRM for multiple tennants is to use the IFD tool and make CRM internet facing.  This would be good, especially if you want to use Outlook anywhere over HTTP or https, then you just configure the Outlook CRM client to connect to a service provider and connect via the http IFD address.

    Tuesday, June 17, 2008 3:10 PM
    Moderator
  • the user is identified by active directory credentials, so they have to have an account on the service proder's AD.  They have to have an AD account to add them as a user in CRM.

     

    There's no way to just say "trust this IP range" and have anybody in that ip range log in over IFD.
    Wednesday, June 18, 2008 2:18 PM
    Moderator

All replies

  • The outlook client can be used in both cases.  It is designed to connect to CRM via web services, so as long as the user cna communicate with CRM, you are fine.  There is no direct communication between Exchange & CRM.  The CRM client will not run on OWA, though it can be installed on Citrix.

     

     

    Tuesday, June 17, 2008 1:12 PM
  • If they are sending all mail in Outlook, they do not have to run the email router--individual Outlook clients can promote emails to crm without the router.  The router is required if you want to centrally manage the routing or if you want to send email from the web client.

     

    Exchange is also not required, as you can use POP3 mail as well.

     

    Another option for deploying CRM for multiple tennants is to use the IFD tool and make CRM internet facing.  This would be good, especially if you want to use Outlook anywhere over HTTP or https, then you just configure the Outlook CRM client to connect to a service provider and connect via the http IFD address.

    Tuesday, June 17, 2008 3:10 PM
    Moderator
  • Thank you for the replies.

     Joel CustomerEffective wrote:

    If they are sending all mail in Outlook, they do not have to run the email router--individual Outlook clients can promote emails to crm without the router.  The router is required if you want to centrally manage the routing or if you want to send email from the web client.


    What if they use both the web client and outlook? Are there different settings for them? Can you use Outlook for Outlook and the e-mail router on the web client?

     


     Joel CustomerEffective wrote:

    Another option for deploying CRM for multiple tennants is to use the IFD tool and make CRM internet facing.  This would be good, especially if you want to use Outlook anywhere over HTTP or https, then you just configure the Outlook CRM client to connect to a service provider and connect via the http IFD address.



    Hmm..my impression was that a multi-tenant install became internet facing automatically. That was my impression after reading the deployment guide. But after some more reading it seems like they are doing something to configure it to be internet facing. I thought users could automatically use a https connection to connect to the CRM, using the web client on any installation, but that is not the case? You have to configure an external IP address for this, otherwise users have to log on to the service providers network in order to access it through the web client?


    Another thing, does CRM 4.0 support ADFS and or trust(ed) connections? Or is this something that is handled by other mechanisms than the CRM?
    Wednesday, June 18, 2008 7:25 AM
  • Yes, you can have users use the web client and Outlook to send email, in that case you would need to use the router, to enable e-mail to be sent from the web client. 

    CRM does not default to internet facing--you need to enable it.  You do have to configure an external URL pointing to the server.  The URL needs to match that CRM organization's name.  For example, our CRM org name is microsoftcrm, so our ifd url is https://microsoftcrm.company.com.  You also have to enable forms authentication on that port.

    Then you need to download and run the IFD tool. 

    Here I documented some of the lessons learned that are not clearly documented in the implementation guide: http://blog.customereffective.com/blog/2008/04/lessons-learned.html

    Once IFD is enabled, when they go to the https address they will use forms authentication to log in, rather than windows authentication.  Their login will be their active directory login (without the domain), but the idea of the IFD tool is to enable users outside of your AD network to be able to access the system.

    You can add the URL of CRM to your trusted connections or save the password.  Really the best way to facilitate automatic logon is by installing the Outlook client.  You can make it remember your password, and if you have the Outlook client installed and authenticated to CRM, you can go to the web client without having to enter your passowrd, and facilitate things like dynamic spreadsheets.
    Wednesday, June 18, 2008 11:05 AM
    Moderator
  • Most helpful Joel.

    A final question on IFD. Users not belonging to the service providers domain, they must be logged on to their company domain in order to access the CRM? e.g. if a user sits at home he has to use a vpn connection into his company network in order to access the CRM. He can't just log in from any computer? (Guessing this is DNS configuration part to IFD.)


    Wednesday, June 18, 2008 11:53 AM
  •  

    These are the two options:

    1.  On premises--in this deployment, the users have to be on the network that CRM is installed on, either directly or via VPN.  These users also have to be part of the domain that CRM is in to authenticate the Outlook client.

     

    2.  IFD--these users do not have to be logged on to a domain to access CRM.  They can be at home, starbucks, etc.  The service provider needs to create an active directory account for them to set up their user in CRM, but the user will use forms authentication to connect using their credentials from any internet connection.  The user does not actually connect to the domain.   He can log in from any computer, and can configure Outlook on any computer to authenticate via the IFD URL. 

     

    #2 is really the service provider's best choice, as it simplifies things significantly from 3.0, as there is no need for VPN, stored domain passwords, etc, and it is much more secure, as you are just opening up the CRM web site, not the rest of the network.

    Wednesday, June 18, 2008 12:51 PM
    Moderator
  •  Joel CustomerEffective wrote:

     

    These are the two options:

    1.  On premises--in this deployment, the users have to be on the network that CRM is installed on, either directly or via VPN.  These users also have to be part of the domain that CRM is in to authenticate the Outlook client.


    2.  IFD--these users do not have to be logged on to a domain to access CRM.  They can be at home, starbucks, etc.  The service provider needs to create an active directory account for them to set up their user in CRM, but the user will use forms authentication to connect using their credentials from any internet connection.  The user does not actually connect to the domain.   He can log in from any computer, and can configure Outlook on any computer to authenticate via the IFD URL. 

     

    #2 is really the service provider's best choice, as it simplifies things significantly from 3.0, as there is no need for VPN, stored domain passwords, etc, and it is much more secure, as you are just opening up the CRM web site, not the rest of the network.



    Ok, let's get this straight... Smile

    #1: Users have to log on to the service providers network in some way to access the CRM. User account in service providers AD. This one I understand.
    #2: CRM is in IFD mode. Users can connect from any computer. But reading books and docs it seems like you can configure the DNS to only allow certain IP addresses??
    e.g: a company connects to the crm using "comp.crm.serviceprovider.com". Their external IP are in the range: 12.12.12.0 - 12.12.12.10. So if a user connects from one of these, they are granted access to the CRM.
    One of the users is sitting at Starbucks trying to connect from 133.123.321.213. Is he allowed to connect to the network or does he have to connect to the company's vpn service first (so that he gets 12.12.12.09)?
    OR
    The user can connect from 133.123.321.213 without any hassle. I believe this is what you have described.


    What this all boils down to really is how is the user identified. (This is new stuff to me so bare with me) If the users can connect from anywhere I suspect that they must have a user account in the service provider's AD. Correct? But if the users have to come from a special IP range do they then have to have a user account in the service provider's AD? Can there be a trust between the two ADs so we don't have to replicate the users account? Or is there a requirement that the users of the CRM have to exist in the service provider's AD?
    Wednesday, June 18, 2008 2:04 PM
  • the user is identified by active directory credentials, so they have to have an account on the service proder's AD.  They have to have an AD account to add them as a user in CRM.

     

    There's no way to just say "trust this IP range" and have anybody in that ip range log in over IFD.
    Wednesday, June 18, 2008 2:18 PM
    Moderator

  • In retrospective: How to setup a SaaS cloud? Multi-tenant, CRM 2011, Outlook2010

    http://izlooite.blogspot.com

    Saturday, September 26, 2015 3:33 PM
  • In retrospective: How to setup a SaaS cloud? Multi-tenant, CRM 2011, Outlook2010

    http://izlooite.blogspot.com

    Saturday, September 26, 2015 3:34 PM