There are a number of options presented by the installation process for the Dotdigital for Microsoft Dynamics connector. In this article we outline those options and give guidance on recommended practice to help the installation run smoothly.

Microsoft CRM Online is fully supported. The Dotdigital for Dynamics connector is provided as a managed solution, which gives you full control of the connector.

Partner-hosted Dynamics CRM solutions can be accessed from the internet and only standard customisation changes are required. The connector requires a new user account that has access to the Dynamics CRM Web Services (CRM Service and Metadata Service).

On each server that is installed with the partner-hosted Dynamics CRM Server 2011/2013, you must enable anonymous authentication for the 2007 SPLA CrmDiscoveryService.

If you host your own Dynamics CRM, you can use one of the following three methods to connect it to the Dotdigital for Dynamics connector:

The main difference between internet-facing deployment (IFD) and a non-IFD-enabled on-premise deployment is the way in which users are authenticated. In a non-IFD-enabled on-premise deployment, Internet Information Services (IIS) handle most of the authentication through integrated Windows authentication.

In IFD-enabled deployment, the Dynamics CRM is open for anonymous access outside of your local network because authentication is claims-based, using the Active Directory Federation Services (ADFS) component from Microsoft. IFD is the recommended method from Microsoft for configuring secure external access to your Dynamics CRM.

To make your Dynamics CRM IFD-enabled:

If you block or filter inbound traffic based on IP address, then please add the following IP addresses to your firewall rules:

Your organisation may not have a public-facing IFD environment and may already use a reverse proxy solution to publish internal web sites to the Internet. Using a reverse proxy implementation instead of port forwarding is generally more secure, as the reverse proxy sends requests on behalf of Dotdigital for Dynamics and processes responses on behalf of your CRM server – the two solutions have no direct communication but the reverse proxy must be able to pass on the NTLM credentials to the CRM servers. All communication should be undertaken over HTTPS.

In this approach all communication is undertaken with an internet-exposed static IP address and accompanying Fully Qualified Domain Name (FQDN) which can be resolved using public DNS systems. In this scenario, it is strongly recommended that all network traffic is encrypted and that HTTPS is used, which requires a valid SSL certification to be installed on your environment.

This approach involves your Dynamics CRM Server being directly accessible from the Internet and will use standard Windows authentication to access the CRM system. This option is not usually recommended without secure firewalls being in place and SSL connectivity.

In this approach, all communication is undertaken with an internet-exposed static IP address and accompanying Fully Qualified Domain Name (FQDN) which can be resolved using public DNS systems. In this scenario, it is strongly recommended that all network traffic is encrypted and that HTTPS is used, which requires a valid SSL certification to be installed on your environment.

If you block or filter inbound traffic based on IP address, add the following IP addresses to your firewall rules:

To use the connector, the internal CRM website must be internet accessible through standard web publishing techniques, including opening the firewall to a public IP for the CRM server and permitting direct Windows authentication.

This approach is less complex to configure than IFD and both users and our service would be able to access CRM externally through standard Windows authentication. As stated above, you should configure your firewall to restrict access to only our IP addresses for better security, but traffic will not be encrypted if you don't use SSL, which is against best practice and would be at your own risk.