High Level Requirements for Internet Facing Deployment (IFD)

Microsoft Dynamics 365 Technical Article

Article sections

    Summary: An article to advise users on setting up IFD for Microsoft Dynamics CRM
    Article Type: Information / Support
    Related Product(s): This article relates to the following products:

    • Microsoft Dynamics CRM
    • Microsoft Dynamics 365
    Related Articles: None


    Internet Facing Deployment (IFD) is required to access Microsoft Dynamics CRM outside the corporate network.  Successful implementation of IFD is reliant on several elements.

    • Certificate
    • Public/Internal DNS
    • STS Provider
    • A mechanism to expose the STS Provider to the internet

    The configuration for these elements will vary depending on existing IT infrastructure and how Microsoft Dynamics CRM is deployed.


    IFD makes use of SSL, therefore, a digitally signed wild card certificate is required.  Certificates can be purchased from a certificate authority such as VeriSign or Thawte.  SAN certificates are also supported.

    Self-signed certificates can be used however they are not recommended.  Using a self-signed certificate is less secure than digitally signed certificates and may leave your CRM system vulnerable.

    A wild card certificate may look something like *.domain.com

    Public/Internal DNS

    Both public and internal DNS will need to be configured.  These can be A records or CNAME records but not a mixture of both.  Here is a list of required DNS records:

    Item Example Record
    ADFS Server ADFS_Server.Domain.com
    CRM Server CRM_Server.domain.com
    Discovery Web Service disco.domain.com
    Web Application Server auth.domain.com
    Organisation Name ORG1.domain.com

    STS Provider

    The recommended STS provider is Active Directory Federation Services.  The version will depend on what version of Windows Server is used.  Both ADFS 2.0 (Windows Server 2008) and ADFS 3.0 (Windows Server 2012) are supported.

    ADFS 2.0 is available to download for free.  ADFS 3.0 comes with Windows Server 2008 R2 and will need to be enabled.

    Other STS Providers will work however you should consult their user guide to check for compatibility.

    A Mechanism to Expose the STS Provider to the Internet

    There are several ways to expose the STS Provider to the internet.  You must consider how your network is currently set up.  Other 3rd party applications may be required.

    The system administrator will be able to advise on the best ways to expose the STS Provider to the internet.  Below are some examples.

    Second Network Card on STS Server

    A second network card can be added to the server.  The first network card will have an internal IP address and the second network card will have a public IP address.

    Firewall Routing

    Rules can be added to the corporate firewall to direct traffic to the appropriate server.

    ISA server or TMG server

    Rules can be published using an ISA (Internet Security and Acceleration) or TMG (Threat Management Gateway) server.  These are part of the Microsoft stack.

    Other methods

    It may be possible to expose the STS server to the internet using different methods not already listed.

    Related Information:
    in MicrosoftMicrosoft Dynamics CRMSupport
    Share This Post
    More To Explore

    Sign Up To Our Newsletter For Regular Updates And News