The Microsoft Dynamics CRM Blog
News and views from the Microsoft Dynamics CRM Team

IAG SP2: Securely Publishing Dynamics CRM 4.0

IAG SP2: Securely Publishing Dynamics CRM 4.0

  • Comments 9

IAG

We are pleased to announce the upcoming availability of the Intelligent Application Gateway (IAG) Service Pack 2 (SP2) which provides a number of key enhancements, including a new application optimizer for Microsoft Dynamics CRM 4.0. The IAG team has always viewed CRM as an important scenario, and we feel confident that this update will help you protect your CRM deployments.

CRM is an application that most organizations want to make available to their remote employees and business partners. However, the CRM application can also contain extremely sensitive information. As a result, it is important to pay special attention to the related security issues, including a means of protecting the CRM server and preventing unattended information leakage. IAG SP2 provides built-in support for all of these requirements – specifically adapted for Dynamics CRM 4.0. SP2 also enhances the overall administrator experience.

Using the new SP2 application optimizer to publish a Dynamics CRM 4.0 deployment automatically:

  • Prevents file downloads from unhealthy or unmanaged computers
  • Prevents uploads for computers that aren't running an anti-virus
  • Controls who can export CRM data to Excel, and from which devices
  • Cleans the user’s cache and temporary files after a session ends (e.g. if your CEO used “export to Excel” from an Internet kiosk…)
  • Adds timeout and logoff functionality to reduce the risk of session hijacking
  • Provides strong authentication to CRM servers (for example, smartcards and one-time passwords)
  • Supports ADFS
  • Provides single sign on (SSO) to and from the CRM server to any other application published by IAG
  • Forwards only valid HTTP requests to back-end servers

Note: Also keep in mind that because the CRM server is separated at the application level from external users, it is already protected from most malicious attacks.

As always, the IAG team performed extensive testing on Dynamics CRM 4.0 behind IAG to ensure that SP2 doesn't break any CRM functionality, or harm performance..

Making it easier to provide Internet access to an organization's CRM application can unlock new and exciting models that can leverage the current CRM deployments which:

  • Allows secured access from unmanaged machines such as the employees home PCs, Internet kiosks and mobile devices.
  • Provides business partners with access to a subset of the CRM functionality to all them to update their work without employee involvement. IAG SP2 handles the authentication (e.g.  using ADFS) and ensures that partners cannot access sensitive parts or perform actions such as exporting data to Microsoft Excel.
  • For example if a subcontractor is providing service for all your customers in a specific region you could allow its employees to access contacts and service for their customers but block them from viewing contracts, quotes, marketing or upload files.

For more information, see http://www.microsoft.com/iag. Additional detail will also be provided later this month at the Convergence conference in Copenhagen.

Cheers,

Meir Mendelovich, IAG Product Group

Jim Toland, Dynamics CRM Engineering for Enterprise team

  • PingBack from http://mstechnews.info/2008/11/iag-sp2-securely-publishing-dynamics-crm-40/

  • Hi,

    This sounds very promising. Just wanted to make sure that we don't run into any similar issues than with ISA 2006:

    http://blogs.technet.com/isablog/archive/2008/07/23/publishing-microsoft-crm-4-0-through-isa-server-2006.aspx

    We have several tenants for whom we host CRM 4.0. This means that we have CRM server setup for IFD authentication. Our end users also need to use CRM Outlook client. We have our own ASP.NET application also hosted for same tenants. What we are after is a single-sign-on between CRM and our own ASP.NET application. For this to work with ISA, we would need to have ISA server's forms authentication on. But in this scenario, we ran into CRM Outlook client authentication issue.

    Any information regarding CRM Outlook client authentication with IAG would be greatly appreciated.

    Thanks.

  • Hi,

    This sounds very promising. Just wanted to make sure that we don't run into any similar issues than with ISA 2006:

    http://blogs.technet.com/isablog/archive/2008/07/23/publishing-microsoft-crm-4-0-through-isa-server-2006.aspx

    We have several tenants for whom we host CRM 4.0. This means that we have CRM server setup for IFD authentication. Our end users also need to use CRM Outlook client. We have our own ASP.NET application also hosted for same tenants. What we are after is a single-sign-on between CRM and our own ASP.NET application. For this to work with ISA, we would need to have ISA server's forms authentication on. But in this scenario, we ran into CRM Outlook client authentication issue.

    Any information regarding CRM Outlook client authentication with IAG would be greatly appreciated.

    Thanks.

  • Jose,

    You can configure such SSO scenario with IAG. You could publish the CRM and your ASP.Net application with IAG and publish again the CRM using ISA only for the Outlook Client (even on a different address).

    Currently we don't support Outlook Client authentication :-(

    We are working on this.

    Thanks,

         Meir Mendelovich :->

  • Ah full speed ahead -- how about clearly stating in the BLOG that this great new IAG/CRM piece does NOT work with the CRM/Outlook client.

    So really, I need to configure CRM with IFD and then punch a hole through IAG in order to use my Outlook/CRM client... but wait my orgname + domain name is snapshotcyclefullofadventures.domain.com (Rather long) I want to use IAG to turn it into crm.domain.com -- sure IAG or even ole ISA can do this for me -- however will this work 100% in CRM? Or will I run into fun issues like exporting to excel etc?

    Documentation my friends – let’s get it out there.

  • Oh yeah! We even have an initiative just focusing on this. They go under the name CRM E2 - Engineering

  • Will IAG SP2 publish CRM4 Mobile Express  to WinMobile 6/6.1 PDA's?

    We tried publishing CRM4 Mobile with ISA2006, but didn't have success...

    thanks Graham

  • Do you have any information on how this will scale in front of CRM 4.0 ?

    If we have 200 CRM Multitenant organisations how many IAG would you require and is it available in a H/A load balancing configuration ?

    Thanks

    Wayne

  • Is there any update on the IAG support for the Outlook plugin?  Is this implemented in the most recent SP2?

Page 1 of 1 (9 items)
Leave a Comment
  • Please add 7 and 4 and type the answer here:
  • Post