Configure a Dynamics 365 Customer Engagement (on-premises) Internet-facing deployment

You can deploy Dynamics 365 for Customer Engagement so that remote users can connect to the application through the Internet. The following Internet-facing deployment (IFD) configurations are supported:

  • Dynamics 365 for Customer Engagement for internal users only

  • Dynamics 365 for Customer Engagement for internal users and IFD access

  • Dynamics 365 for Customer Engagement for IFD-only access

Configuring an IFD enables access to Dynamics 365 for Customer Engagement from the Internet, outside the company firewall, without using a virtual private network (VPN) solution. Dynamics 365 for Customer Engagement configured for Internet access uses claims-based authentication to verify credentials of external users. When you configure Dynamics 365 for Customer Engagement for Internet access, integrated Windows Authentication must remain in place for internal users.

To let users access the application over the Internet, the server that is running Internet Information Services (IIS) where the Dynamics 365 for Customer Engagement application is installed must be available over the Internet.

For more information, see Accessing Microsoft Dynamics 365 from the Internet - Claims-based authentication and IFD requirements.

About claims-based authentication

The claims-based security model extends traditional authentication models to include other directory sources that contain information about users. This identity federation lets users from various sources, such as Active Directory Domain Services (AD DS), customers via the Internet, or business partners, authenticate with native single sign-on.

The claims-based model has three components: the relying party, which needs the claim to decide what it is going to do; the identity provider, which provides the claim; and the user, who decides what if any information they want to provide. Microsoft provides a claims-based access solution called Active Directory Federation Services (AD FS). AD FS enables Active Directory Domain Services (AD DS) to be an identity provider in the claims-based access platform.

AD FS consists of the following components:

  • AD FS Framework provides developers pre-built .NET security logic for building claims-aware applications, enhancing either ASP.NET or WCF applications.

  • Active Directory Federation Services (AD FS) is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access. Active Directory Federation Services (AD FS) supports the WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols. Active Directory Federation Services (AD FS) can also issue manage information cards for AD DS users.

For more information about AD FS, see:

Internet-facing server best practices

Implement a strong password policy

To reduce the risk of "brute-force attacks" we strongly recommend that you implement a strong password policy for remote users who are accessing the domain where Dynamics 365 for Customer Engagement is installed. For more information about how to implement a strong password policy in Windows Server, see Creating a Strong Password Policy and the "Understanding User Accounts" topic in Active Directory Users and Computers Help.

Internet connection firewall

The current Windows Server operating systems provide firewall software to prevent unauthorized connections to the server from remote computers. For more information about how to configure the Internet connection firewall for Internet Information Services (IIS) Manager, see the IIS Help.

For information about how to make a Web site available on the Internet, see the "Domain Name Resolution" topic in the IIS Help.

Advanced network security

If you do not have a secure proxy and firewall solution on your network, we recommend that you use a dedicated remote access, proxy, or firewall server, such as the Windows Server Remote Access Server role or Windows Firewall with Advanced Security. For more information, see Remote Access Overview and Windows Firewall with Advanced Security Overview.

Configure IFD

Use the following steps as configuration guidelines.

Step 1: Configure Microsoft Dynamics 365 Server for Internet access

You can configure Dynamics 365 Server for Internet access. To do this, run the Configure Claims-Based Authentication Wizard, and then run the Internet-Facing Deployment Configuration Wizard where the Deployment Administration Server role is installed. For more information, see Configure claims-based authentication and Configure an Internet-facing deployment.

Step 2: Configure mobile clients to connect to Dynamics 365 Server

For the tablet and phone apps to be able to to access the Dynamics 365 Server over the Internet, you must configure OAuth. More information: Configure Windows Server for Dynamics 365 Customer Engagement (on-premises) applications that use OAuth

Step 3 (optional): Configure Microsoft Dynamics 365 for Outlook to connect to Dynamics 365 Server

For Dynamics 365 for Outlook to be able to access the Dynamics 365 Server over the Internet, you must specify the external Web address that will be used to access the Internet-facing Dynamics 365 Server. To do this, you must install Dynamics 365 for Outlook, and then run the Configuration Wizard. Then, during configuration, type the external Web address in the External Web address box. If you install server roles, this Web address must specify where the Discovery Web Service role is installed. For more information about how to configure Dynamics 365 for Outlook, see Set up Dynamics 365 for Outlook.

For detailed steps to configure IFD, see Configure IFD for Microsoft Dynamics 365.