Configure an Internet-facing deployment


Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

Configuring an Internet-facing deployment (IFD) lets users get to Microsoft Dynamics 365 from the Internet, outside the company firewall, without using a virtual private network (VPN). Microsoft Dynamics 365 configured for Internet access uses claims-based authentication to verify credentials of external users. When you configure Microsoft Dynamics 365 for Internet access, integrated Windows authentication must remain in place for users accessing Microsoft Dynamics 365 through your LAN or WAN.


Claims-based authentication is required for Microsoft Dynamics 365 Internet-facing deployment (IFD) access. If Microsoft Dynamics 365 is deployed in the same domain where all Microsoft Dynamics 365 users are located or users are located in a trusted domain, claims-based authentication is not required for intranet Microsoft Dynamics 365 access.

Before you run the Configure Claims-Based Authentication Wizard, a security token service (STS), such as Active Directory Federation Services (AD FS) must be available. For more information about Active Directory Federation Services (AD FS), see Identity and Access Management.

Configure Internet-facing deployment

  1. Start the Deployment Manager.

  2. If you have not already done so, configure claims-based authentication.

    See Configure claims-based authentication.

  3. Open the Internet-Facing Deployment Configuration Wizard in one of two ways:

    • In the Actions pane, click Configure Internet-Facing Deployment.

    • In the Deployment Manager console tree, right-click Microsoft Dynamics 365, and then click Configure Internet-Facing Deployment.

  4. Review the page, and then click Next.

  5. On the Make Microsoft Dynamics 365 available to users who connect through the Internet page, type the domains for the specified Microsoft Dynamics 365 Server roles, and then click Next.


    • Specify domains, not servers.

    • If your deployment is on a single server or servers in the same domain, the Web Application Server Domain and Organization Web Service Domain will be identical.

    • The Discovery Web Service Domain must be a subdomain of the Web Application Server Domain. By default, "dev." is pre-pended to the Web Application Server Domain to make the Discovery Web Service Domain.

    • The domains must be valid for the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificate's common name or names.

    For more information about web addresses, see Install Microsoft Dynamics CRM Server on multiple computers.

  6. In the Enter the external domain where your Internet-facing servers are located box, type the external domain information where your Internet-facing Microsoft Dynamics 365 servers are located, and then click Next.

    The domain you specify must be a subdomain of the Web Application Server Domain specified in the previous step. By default, "auth." is pre-pended to the Web Application Server Domain.

  7. On the System Checks page, review the results, fix any problems, and then click Next.

  8. On the Review your selections and then click Apply page, verify your selections, and then click Apply.

  9. Click Finish.

  10. If you experience issues connecting to Microsoft Dynamics 365 through an external address, reset Internet Information Services (IIS).

    Restart Internet Information Services (IIS). To do this, click Start, click Run, type IISRESET, and then click OK.

  11. Configure relying parties for IFD.


    You must configure a relying party for IFD. For more information, see Configure the AD FS server for IFD.

See Also

Configure claims-based authentication
Disable an Internet-facing deployment

© 2016 Microsoft. All rights reserved. Copyright