Network Segmentation

The reference architecture for hosted Microsoft Dynamics CRM 2011 is based on a three-tiered, four-zone approach, where the tiers define various levels of scale, and the zones illustrate the use of network segmentation to reduce the attack surface and secure data access.

The zones referenced in Microsoft Dynamics CRM 2011 are as follows:

Zone 0 - "Boundary"

  • The area of the network that is closest to the Internet. Generally, this security zone contains the boundary routers, intrusion detection, first layer of denial of service (DoS) blocking, and boundary firewalls.

  • Secure Sockets Layer (SSL) and initial access/certificate validation may be located at this layer. Network Operation Center (NOC) services may be logically housed in this zone.

  • For Microsoft Dynamics CRM 2011, none of its servers resides in this zone.

    Zone 1 - "Edge"

  • This zone contains those servers and services that provide first-level authentication, application proxy services, and load balancing across Zone 1 servers and services.

  • No domain membership with the Zone 3 Active Directory directory service and no direct connection to servers in Zone 3 for security purposes. This reduces the attack surface.

  • A "Secure by Default" approach. Locked down servers in this zone.

  • Communication via secure protocols between servers in Zone 1 and Zone 2.

    Zone 2 - "Proxy"

  • Servers in this zone have domain membership with Active Directory in Zone 3.

  • Relays or "proxies" authentication requests between Zone 1 and Zone 3.

  • Two-tier services or applications make use of firewall or gateway in Zone 1 to publish secure application access in lieu of a dedicated Zone 1 or edge server.

  • CRM 2011 Front-end Application Server roles reside in this zone.

  • Though included in Zone 2 for the example deployment in this guide, these servers could be deployed in either Zone 2 or 3 based on your security requirements because they are not accessed by remote end users:

  • CRM 2011 Back-end Asynchronous and Sandbox Server roles reside in this zone.

  • CRM 2011 Deployment Service role server resides in this zone.

  • CRM 2011 E-mail Router servers reside in this zone.

  • SQL Reporting Servers for CRM 2011 reside in this zone.

    Zone 3 - "Data center"

  • Most secure area of the network.

  • Data repository servers reside in this zone.

  • No direct access to these servers. Access is via proxies in Zone 2 or published services via firewall or gateway in Zone 1.

  • CRM 2011 databases reside in this zone.