Summary: An article to advise users on setting up IFD for Microsoft Dynamics CRM
Article Type: Information / Support
Related Product(s): This article relates to the following products:

  • Microsoft Dynamics CRM
  • Microsoft Dynamics 365
Related Articles: None


Internet Facing Deployment (IFD) is required to access Microsoft Dynamics CRM outside the corporate network.  Successful implementation of IFD is reliant on several elements.

  • Certificate
  • Public/Internal DNS
  • STS Provider
  • A mechanism to expose the STS Provider to the internet

The configuration for these elements will vary depending on existing IT infrastructure and how Microsoft Dynamics CRM is deployed.


IFD makes use of SSL, therefore, a digitally signed wild card certificate is required.  Certificates can be purchased from a certificate authority such as VeriSign or Thawte.  SAN certificates are also supported.

Self-signed certificates can be used however they are not recommended.  Using a self-signed certificate is less secure than digitally signed certificates and may leave your CRM system vulnerable.

A wild card certificate may look something like *

Public/Internal DNS

Both public and internal DNS will need to be configured.  These can be A records or CNAME records but not a mixture of both.  Here is a list of required DNS records:

Item Example Record
ADFS Server
CRM Server
Discovery Web Service
Web Application Server
Organisation Name

STS Provider

The recommended STS provider is Active Directory Federation Services.  The version will depend on what version of Windows Server is used.  Both ADFS 2.0 (Windows Server 2008) and ADFS 3.0 (Windows Server 2012) are supported.

ADFS 2.0 is available to download for free.  ADFS 3.0 comes with Windows Server 2008 R2 and will need to be enabled.

Other STS Providers will work however you should consult their user guide to check for compatibility.

A Mechanism to Expose the STS Provider to the Internet

There are several ways to expose the STS Provider to the internet.  You must consider how your network is currently set up.  Other 3rd party applications may be required.

The system administrator will be able to advise on the best ways to expose the STS Provider to the internet.  Below are some examples.

Second Network Card on STS Server

A second network card can be added to the server.  The first network card will have an internal IP address and the second network card will have a public IP address.

Firewall Routing

Rules can be added to the corporate firewall to direct traffic to the appropriate server.

ISA server or TMG server

Rules can be published using an ISA (Internet Security and Acceleration) or TMG (Threat Management Gateway) server.  These are part of the Microsoft stack.

Other methods

It may be possible to expose the STS server to the internet using different methods not already listed.

Related Information: