Microsoft Dynamics CRM 2011 offers an internet-facing deployment (IFD), just like the previous version. Well, not exactly like the previous version -- you can still set up your CRM deployment to be accessible from the internet for your mobile users, but the process of setting it up is significantly more complicated. CRM 2011 takes advantage of Active Directory Federated Services (ADFS), a standards-based technology for controlling security access to internet services. So, you'll have to set up ADFS on your network, and you'll also have to buy an SSL certificate for your CRM server (which is a good idea anyway).
Microsoft's official documentation for doing an IFD installation is in the
However, many bloggers have pointed out that the documentation leaves out a few important details. Here's a gloss on the Microsoft documentation that we found helpful.
Also, here's a video from the Dynamics CRM team that's worth watching to get a feel for the process.
Here are a few more "gotchas" that we wish we had known before our first IFD installations:
1. The new claims-based authentication methodology requires the browser to communicate directly with both the CRM web server and the AFDS server. For many deployments both services will be hosted on the same server, but if they are not, you have to be sure to open up your firewall ports for SSL on BOTH servers, and have public IP addresses for both boxes as well. (Fortunately, you don't need two separate SSL certificates if you use a wildcard certificate, as Microsoft recommends.)
2. If you are installing your ADFS service on the same machine as your CRM web server, you must be sure that you do NOT install your CRM organization into the default website in IIS. ASFS must be the default website, so your CRM needs to be in a different site.
3. When you set up your internet facing deployment, the external URL for your CRM organization must be <organizationname>.yourdomain.com. The requirement makes perfect sense for a multi-tenancy server that has lots of different organizations on it; however, most on-premise installations are only going to have one production organization on them. Many well-meaning systems administrators set up their CRM organization with a very thorough name, e.g. "Lexington Automative Assembly LLC", not realizing that their mobile users will now be forced to type lexingtonautomativeassemblyllc.lexingtonautomotive.com to connect to their CRM. Most users and admins would prefer something a lot simpler, like "crm.lexingtonautomotive.com". However, the only way to achieve that is to give your CRM organization a very short and simple name when you set it up. (You could, of course, set up a redirect on your web server to send a short, memorable address to the longer address.)