Configuring CRM 2011 Internet Facing Deployment (IFD)
Recently we faced the big challenge of upgrading a CRM 4.0 system to CRM 2011. While setting up CRM 2011 and especially the IFD part of it, despite installing it first in test environment, the live deployment still haven’t gone as smooth as we hoped for.
There are many guides on the internet, the best one probaly Interactiveweb’s Microsoft CRM 2011 How to Configure IFD Hosted Setup.
It looks like a fairly straightforward affair, but my experience shows that the devil is in the detail. I don’t think there’s a need for another full guide article, as the guys at Interactiveweb did a brilliant job. I just want to point out a few items that might slip your attention when following these guides.
CRM Company name
The installation of CRM 2011 itself was probably the easiest part of the whole process. This was the only part of the setup that didn’t present any difficulties.
Before you start the installation itself, decide on the CRM Company name, as it will be used later in the process. One thing to make sure is that there are actually 2 CRM names in use. One will be the company name that you choose in the process of installing CRM itself. The second name is the name you will use for Claims Based authentication.
For example you could use the company name AbcCrm, and the claims based address (internal) could be CrmInt. If the company domain is lets say contoso.com, than these addresses would look like this:
internal (claims based): CrmInt.Contoso.com
external (IFD): AbcCrm.Contoso.com
DNS Records for CRM 2011
Speaking of addresses, you will also need to setup some additional addresses. Make sure you read the guide very carefully and pay special attention to URLs in the guide. This seems to be the most common cause of most configuration issues.
It is advisable to setup all records as A records that point to the appropriate server.
We already mentioned the internal and external address for CRM. These should obviously point to the server where CRM is running. Additional DNS records you will need are:
adfs.contoso.com – this is the IP address of the ADFS server
auth.contoso.com, dev.contoso.com – addresses used for IFD configuration, these should resolve to IP address of the CRM server.
ADFS Server
In the initial test we setup the ADFS server on the same host as the CRM server. There is no reason why it couldn’t be done that way, and the guides mentioned will tell you how to do this.
There is one – i think quite an important – limitation to this though. You will have to use alternative ports for CRM HTTPS. this might not be an issue in most cases, but if you need to access your CRM from networks that you don;t know much about, you might not be able to access your CRM as these alternative ports might be blocked.
For these reasons we decided to host the ADFS on a separate host. We also used additional public IP addresses to router the required services to the correct hosts – namely one public address for CRM and another public IP address for ADFS. This configuration provides the most functional setup as it is not likely any system would block HTTPS port 443.
Conclusion
As mentioned at the beginning of the article, despite testing the configuration, we still faced some issues to resolve in the live deployment. The advise could be summarized in two pieces of advise:
- There’s isn’t such a thing as enough testing
- Read and follow the implementation guides VERY carefully
It has been a long journey, but i hope this experience can help others when faced with the same task.