In this post I'll discuss how we have used the Application Request Routing module from IIS to expose Ms Dynamics CRM to the big bad world.
In this project I'm working on at the moment we want to allow authorized third parties to access to our application, which means that there has been a lot of discussions around what's the best way of doing this.
The Problem:
We want to allow third parties access to our MS Dynamics CRM 2015 system but these third parties might be mom and pop operations so federating with them is not an option. In reality, this is a fantasy conjured up by the PM, but we all go along with it, because sometimes it's important to know which battles to fight.
We also don't want to expose our MS Dynamics CRM 2015 servers to the big bad internet.
The Solution:
Use ARR to expose the MS Dynamics CRM 2015 website to the outside world, while keeping the servers happily inside the perimeter.
This is an architecture diagram of what we are trying to achieve.
I'm assuming that you have a working MS Dynamics CRM 2013/2015 installation configured for Internet Facing Deployment and a wildcard certificate for the appropriate domain available.
Install ARR.
Navigate to this page and click on install this extension, which will use the Windows Platform installer to install ARR, just follow the instructions therein. Alternatively you can do it manually, which I haven't tried.
Configure ARR
ARR is configured from the IIS Manager console.
So fire it up (windows key + r -> inetmgr) and let's get started:
We first create a Server Farm for the MS Dynamics CRM Web Servers. If you have web and application CRM servers then you only need to add the web servers. We have full servers.
Ensure you add all servers, not just one server, unless you only have one server like myself in this environment :)
If you are only using ARR to expose MS Dynamics CRM to the outside world, then it's probably ok to click yes here.
We can now configure our server farm.
We want to make sure that traffic is only directed to servers that are up and running so I normally set the organization's wsdl page as the health test URL. The server's page (using FQDN) should also work and in fact should be used if you have more than one organization.
The other thing that needs to be done is to set load balancing to be a based on Client affinity, in other words, a client will always hit the same server, unless that server is down. This is an optional step, that's only required, as far as I can tell, for reports.
We now need to check that the routing rule is correct for the current set up.
Pretty simple, as we're sending everything that hits this server onward to the MS Dynamics CRM Farm. However, the rule will, by default, forward it to http rather than https, so this needs to be changed.
The final step is to create the proxy websites. I'm going to assume that a wildcard certificate has been installed already for the server. These website will receive the traffic from the internet and forward it to the MS Dynamics CRM Web Servers.
When using IFD, a website is needed for each organization and another one for the auth website. You can also add one for the discovery service, but as far as my limited testing goes, it works without it.
At this point ARR is configured, now all that remains is to set up name resolution.
I normally use CNAME aliases for auth, disc and the various organizations to point to the ARR server:
stark.dev.local --> ARR Server (Organization)
auth.dev.local --> ARR Server (auth)
disc.dev.local --> ARR Server (discovery)
In my next post I will add ADFS to the reverse proxy, note that it's perfectly acceptable to use ARR for this purpose as well, but it also possible to use WAP, which provides pre-authentication.