Microsoft Forefront Unified Access Gateway Product Team Blog : CRM

New White Paper: Implementing an ADFS Solution for Microsoft Dynamics CRM by Using Intelligent Application Gateway (IAG)

edgeaccessblog — Mon, 20 Jul 2009 20:31:59 GMT

Even though we are focused on UAG these days, we and our partners still promote IAG and add more content for our community. Here is a blog cross-post from the CRM team blog on enabling ADFS for CRM using IAG. Most of the content of this paper is also true for UAG and for other applications like SharePoint.

By default, an on-premise implementation of Microsoft Dynamics CRM 4.0 leverages Active Directory (Integrated Windows) Authentication to accommodate access by internal users. However, many businesses also require the ability to provide external users with access to the highly sensitive information that is stored in the CRM system and to accommodate this access without having to create Active Directory trusts.

Because providing external access to internal CRM resources can also introduce potential security risks from both external and internal sources, in these scenarios, the CRM implementation must be protected by a gateway, such as Intelligent Application Gateway (IAG) 2007, which is sensitive to application logic and data and can ensure that internal and external users perform their routine tasks in a secure manner.

By using a combination of IAG and Active Directory Federation Services (ADFS) to establish an authentication gateway, companies can provide access to CRM resources by any identity, from any organization and from any computer, complete with strong authentication and full Single Sign On from the end user to the internal CRM system with a full audit trail (including username and source IP).

The white paper Implementing an ADFS Solution for Microsoft Dynamics CRM by Using Intelligent Application Gateway (IAG), recently released by the MS CRM Engineering for Enterprise (E2) team, provides high-level guidance on using IAG to implement an ADFS solution for Microsoft Dynamics CRM 4.0. Developed in collaboration with the IAG team in Israel and the CRM Product team in Redmond, the document is available on Microsoft Downloads at:
https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=47ee7f73-6059-4b20-a305-1b8b2b23f0e9

Cheers,

Jim Toland

CRM Engineering For Enterprise

Publishing CRM Outlook Client Using IAG SP2

edgeaccessblog — Mon, 09 Mar 2009 10:28:00 GMT

IAG SP2 introduced support for Dynamics CRM 4.0 Web application. This support enables IAG SP2 to protect and enhance the CRM servers – look here for more details. This support can be extended to the CRM Outlook client using the steps detailed below.

I. Adding the application on IAG

1. In a portal trunk, select to add a new application.

2. Select "Generic Client App" as the application type from the "Client/Server and Legacy Applications" combo-box:

3. Type a name to identify the application:

4. Fill in the server address and port, and make sure that the "Launch Automatically on start" option is checked:

5. In the “Portal Link” page, make sure that the "Add link on portal and toolbar" is unchecked and then click Finish

6. From the trunk’s application list, open the application that you just created. Go to the "Client Settings" tab and check the "Extended" option:

II. Configuring the CRM Outlook Add-on Configuration Manager

Prerequisites: The initial configuration of the add-on should be done from a domain-joined machine.

1. Run the CRM Add-on configuration manager and choose "My Company":

2. In the "Intranet Address" fill in the CRM server's name, uncheck the "Use the same Web address" checkbox, and in "External web address" fill in the IAG portal address followed with a "/MSCRMServices" path.

Start working…

Now IAG users can use their CRM Outlook client. All they have to do is log in to the IAG portal. After login they will be able to use their CRM Outlook client for as long as their IAG session is valid.

Author: Chen Kirsch, IAG Product Team Application Group

Reviewer: Meir Mendelovich, Program Manager, IAG Product Team

Securely Publishing Dynamics CRM 4.0 by Using IAG SP2

edgeaccessblog — Fri, 07 Nov 2008 01:10:00 GMT

[Cross post with Microsoft Dynamics CRM team blog]

We are pleased to announce the upcoming availability of Microsoft Intelligent Application Gateway (IAG) Service Pack 2 (SP2), which provides a number of key enhancements, including a new application optimizer for Microsoft Dynamics CRM 4.0. The IAG team has always viewed CRM implementations as an important scenario, and we feel confident that this update will help you protect your CRM deployments.

Most organizations want to make their CRM application available to remote employees and business partners, but the application often also contains extremely sensitive information. These scenarios require special attention to the related security issues, including providing a means of protecting the CRM server and preventing unattended information leakage. IAG SP2 provides built-in support for all of these requirements – specifically adapted for Dynamics CRM 4.0, and with a very quick and easy administrator experience.

Using the new SP2 application optimizer to publish a Dynamics CRM 4.0 deployment automatically:

· Prevents file downloads from unhealthy or unmanaged computers

· Prevents uploads for computers that aren't running an anti-virus program

· Controls who can export CRM data to Excel, and from which devices

· Cleans the user’s cache and temporary files after a session ends (e.g. if your CEO used “export to Excel” from an Internet kiosk…)

· Adds timeout and logoff functionality to reduce the risk of session hijacking

· Provides strong authentication to CRM servers (for example, smartcards and one-time passwords)

· Supports ADFS

· Provides single sign on (SSO) to and from the CRM server to any other application published by IAG

· Forwards only valid HTTP requests to backend servers

Note: Also keep in mind that because the CRM server is separated at the application level from external users, it is already protected from most malicious attacks.

As always, the IAG team performed extensive testing on Dynamics CRM 4.0 behind IAG to ensure that SP2 doesn't break any CRM functionality or harm performance.

Making it easier to provide Internet access to an organization’s CRM application can unlock new and exciting models that leverage the current CRM deployments:

· Allow secured access from unmanaged computers and devices - such as employees’ home computers, Internet kiosks, and mobile devices.

· Provide business partners with access to a subset of CRM functionality to allow them to update their work without employee involvement. IAG SP2 handles the authentication (e.g. using ADFS) and ensures that partners cannot access sensitive data or parts of the system, or perform actions such as exporting data to Excel.

For example if a subcontractor is providing service for all your customers in a specific region you could allow its employees to access contacts and service for their customers but block them from viewing contracts, quotes, marketing or upload files.

For more information, see http://www.microsoft.com/iag. Additional detail will also be provided later this month at the Convergence EMEA conference in Copenhagen.

Jim Toland, MS Dynamics CRM Engineering for Enterprise team

Meir Mendelovich, IAG Product Group