Setting up an Internet-facing deployment of Dynamics 365 Customer Engagement (on-premises)

Are the logged-in users local domain users or external ones? Dynamics 365 for Customer Engagement that is configured for Internet access employs Claims-based authentication to authenticate the credentials of external users.

By leveraging
Dynamics 365
, you can enable remote users to access the application via the Internet for Customer Engagement purposes. The deployment of
offers several supported configurations for Internet-Facing Deployment (IFD).

  • Exclusively for <a class=”text-blue-600″ href=”” title=”Isolated User Mode (IUM) Processes”>internal users</a>, Dynamics 365 for Customer Engagement is available.

  • Access to Dynamics 365 for Customer Engagement is available for both internal users and those who require IFD access.

  • Access to Dynamics 365 for Customer Engagement restricted to IFD-only users.

Enabling an IFD allows external access to Dynamics 365 for Customer Engagement without relying on a VPN, even from outside a company’s firewall. To authenticate external users, Dynamics 365 for Customer Engagement configured for
Internet access
relies on
Claims-based authentication
. However, Windows Authentication must still be kept for internal users when configuring Dynamics 365 for Customer Engagement for Internet
access, integrated

users access
to access the Dynamics 365 for Customer Engagement application over the Internet, the Internet Information Services (IIS) server that hosts the application must also be accessible through the Internet.

Refer to the Claims-based authentication and IFD requirements section to learn how to access Microsoft Dynamics 365 from the internet.

About claims-based authentication

The security model based on claims goes beyond traditional authentication methods by incorporating additional directory sources that possess user-related data. This federation of identities enables users from multiple sources, including
Active Directory
Domain Services (AD DS), internet-based customers, and business associates, to perform authentication using a built-in single sign-on mechanism.

The three elements of the claims-based model are as follows: the relying party, which requires the claim to make a decision; the identity provider, which supplies the claim; and the user, who determines what information to share. Active Directory Federation Services (AD FS) is Microsoft’s claims-based access solution. AD FS allows
Active Directory Domain Services
(AD DS) to function as an identity provider within the claims-based access platform.

The components that make up AD FS include:

  • The AD FS Framework furnishes .NET security logic, which is pre-built for developers to construct <a class=”text-blue-600″ href=”” title=”Working with claims-aware apps in Application Proxy”>claims-aware applications</a> and augment ASP.NET or WCF applications.

  • AD FS, which facilitates the issuance and transformation of claims, enables federations and manages user access, supports various protocols such as WS-Trust, WS-Federation, and SAML. Additionally, AD FS can manage information cards for AD DS users.

To learn more regarding AD FS, refer to:

  • <p>
    AD FS 2016 Overview

  • An Overview of Active Directory Federation Services on Windows Server 2012.

Internet-facing server best practices

Implement a strong password policy

To mitigate the danger of “brute-force attacks,” it is highly advised that you establish a robust password policy, referred to as
strong password
, for remote users who are logging into the domain with Dynamics 365 for Customer Engagement installed. You can discover more about creating a secure
Password Policy
for Windows Server by consulting both the “Creating a Strong Password Policy” and “Understanding User Accounts” sections in the Active Directory Users and Computers Help.

Internet connection firewall

The firewall software, available in the current Windows Server operating systems, helps in avoiding unauthorized connections to the server from remote computers. To configure the firewall for Internet Information Services (IIS) Manager, you can refer to the IIS Help.

Consult the IIS Help section on “Domain Name Resolution” to learn how to make a website accessible on the internet.

Advanced network security

To ensure the security of your network, we suggest utilizing a distinct server for remote access, proxy, or firewall, like the Windows Server Remote Access Server role or
Windows Firewall
with Advanced Security, in case you don’t have a secure proxy and firewall solution installed. For further details, please refer to the Remote Access Overview and
windows firewall with advanced security overview

Configure IFD

Utilize the subsequent procedures as directives for configuration.

Step 1: Configure Microsoft Dynamics 365 Server for Internet access

To enable Internet access on
Dynamics 365 Server
, follow these steps: launch the
Configure claims-based authentication
Wizard and then initiate the
Deployment Configuration Wizard on the server with the Deployment Administration Server role. For further guidance, refer to the configuration instructions for claims-based authentication and setting up an Internet-facing deployment.

Step 2: Configure mobile clients to connect to Dynamics 365 Server

To enable the tablet and phone apps to access Dynamics 365
server over the internet
, you need to set up OAuth. Check out the instructions for configuring Windows Server for on-premises Dynamics 365 Customer Engagement applications that use OAuth to learn more.

Step 3 (optional): Configure Microsoft Dynamics 365 for Outlook to connect to Dynamics 365 Server

To enable Dynamics 365 for Outlook to connect with the Dynamics 365 Server through the Internet, you need to indicate the external Web address that will be utilized to access the Internet-facing Dynamics 365 Server. This can be achieved by performing
install dynamics 365 for outlook
and then launching the Configuration Wizard. During the configuration process, you should input the external Web address in the designated box. If you have server roles installed, the Web address should indicate the location of the Discovery Web Service role. Further information on the configuration of Dynamics 365 for Outlook can be found in the set up dynamics 365 for outlook guide.

Refer to the instructions provided in Configure IFD for Microsoft Dynamics 365 for comprehensive guidance on setting up IFD.

Frequently Asked Questions

Posted in Uncategorized