Microsoft Dynamics crm planning Guide

Planning Deployment Advanced Topics

Advanced deployment options for Microsoft Dynamics CRM Server

Update Setup files by using a local package

To specify the location, you must edit the XML Setup configuration file

For information about MSP packages for Microsoft Dynamics CRM Setup, see Microsoft Knowledge Base article 948917: How to obtain the Setup updates for Microsoft Dynamics CRM 4.0 (http://go.microsoft.com/fwlink/?linkid=102967).

Install server roles

• 
  Run the Microsoft Dynamics CRM Server Setup Wizard Custom option to select from two server role groups.
  
• 
  Configure an XML Setup configuration file and then run Setup at the command prompt to specify a server role group or one or more individual server roles.
  

Configure a Microsoft Dynamics CRM Internet-facing deployment

• 
  Microsoft Dynamics CRM for internal users only
  
• 
  Microsoft Dynamics CRM for internal users and IFD access
  
• 
  Microsoft Dynamics CRM for IFD-only access
  

Configuring an IFD enables access to Microsoft Dynamics CRM from the Internet, outside the company firewall, without using a virtual private network (VPN) solution. Microsoft Dynamics CRM configured for Internet access uses forms authentication to verify credentials of external users. When you configure Microsoft Dynamics CRM for Internet access, integrated Windows authentication must remain in place for internal users.

To let users access the application over the Internet, the server that is running Internet Information Services (IIS) where the Microsoft Dynamics CRM application is installed must be available over the Internet.

Configuring an IFD sets the Microsoft Dynamics CRM Web site to use anonymous authentication for external users, and provides a sign on page to capture users' credentials and obtain an authentication ticket cookie. Microsoft Dynamics CRM IFD checks for a valid ticket cookie before processing the page request. When a page request does not contain a valid ticket, the page request is redirected to the sign-on page. A page request with an expired ticket is also redirected to the sign-on page. Users access the Microsoft Dynamics CRM Web site by typing the IFD URL in Internet Explorer. Because this kind of authentication sends user credentials and passwords by using clear text, you should always configure Microsoft Dynamics CRM to use Secure Sockets Layer (SSL), also known as secure HTTP.

For information about SSL, see "Make Microsoft Dynamics CRM 4.0 client-to-server network communications more secure" in the Microsoft Dynamics CRM Installing Guide. Also see the Internet Information Services (IIS) Manager Help.

For information about forms authentication, see Web Form (IFD) Authentication (http://go.microsoft.com/fwlink/?LinkId=149497).

For information about forms authentication with Active Directory, see Forms Authentication in ASP.NET (http://go.microsoft.com/fwlink/?LinkId=149498).

Methods to configure an IFD

• 
  Deploy an IFD during a Microsoft Dynamics CRM Server installation or upgrade:
  

• 
  Upgrade from Microsoft Dynamics CRM 3.0 to Microsoft Dynamics CRM 4.0 by using command-line options and an XML configuration file that contains IFD configuration information.
  
• 
  Install a new deployment of Microsoft Dynamics CRM by using command-line options and an XML configuration file that contains IFD configuration information.
  

• 
  Reconfigure an existing non-IFD deployment by running the Microsoft Dynamics CRM Internet Facing Deployment Configuration Tool. For more information, see KB article 948779: How to use the Internet Facing Deployment Configuration Tool (http://support.microsoft.com/kb/948779).
  

Implement a strong password policy

Internet connection firewall

For information about how to make a Web site available on the Internet, see the Domain Name Resolution topic in the Internet Information Services (IIS) Manager Help.

Proxy/firewall server

Follow these steps as configuration guidelines:

• 
  You can deploy Microsoft Dynamics CRM Server for Internet access by preparing an XML Setup configuration file, and then running Setup at the command prompt. For more information, see "Use the Command Prompt to Install Microsoft Dynamics CRM" in the Microsoft Dynamics CRM Installing Guide.
  

• 
  The Microsoft Dynamics CRM Web site is configured to accept a nonsecure connection. We strongly recommend that you modify the Microsoft Dynamics CRM Web site so that SSL is required. For more information about how to configure a Web site to use SSL, see the Help in the Internet Information Services (IIS) Manager MMC snap-in. The Web site allows anonymous access.
  
• 
  Internal network address information is added to the Windows registry on the computer where Microsoft Dynamics CRM Server, or the Application Server role group, is installed. CRM ticket encryption is enabled. For information about Microsoft Dynamics CRM key management, see "Key management in Microsoft Dynamics CRM" in this guide.
  

For Microsoft Dynamics CRM for Microsoft Office Outlook to be able to access the Microsoft Dynamics CRM Server over the Internet, you must specify the external Web address that will be used to access the Internet-facing Microsoft Dynamics CRM Server. To do this, you must install Microsoft Dynamics CRM for Outlook and then run the Configuration Wizard. Then, during configuration, enter the external Web address in the External Web address box. If you install server roles, this Web address must specify where the Discovery Server role is installed. For more information about how to configure Microsoft Dynamics CRM for Outlook, see "Microsoft Dynamics CRM Server Installation Instructions" in the Microsoft Dynamics CRM Installing Guide.

When accessing the Microsoft Dynamics CRM Server over the Internet, the Microsoft Dynamics CRM client applications use ASP.NET forms authentication. For more information about forms authentication, see the MSDN article Explained: Forms Authentication in ASP.NET 2.0 (http://go.microsoft.com/fwlink/?linkid=102281).

For more information about Microsoft Dynamics CRM Internet-facing deployments, download the Microsoft Dynamics CRM 4.0 Internet Facing Deployment Scenarios (http://go.microsoft.com/fwlink/?linkid=108142) white paper.

Key management in Microsoft Dynamics CRM

Microsoft Dynamics CRM uses three kinds of private encryption keys for deployments accessed over the Internet.

• 
  CRM ticket key. This key creates CRM tickets, which are generated when a Microsoft Dynamics CRM user logs on to the system. In addition, every time that a request is made to the Microsoft Dynamics CRM Server, the CRM ticket key decrypts the CRM ticket to validate users without forcing the user to re-enter credentials.
  
• 
  Web remote procedure call (WRPC) token key. This is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.
  
• 
  CRM e-mail credentials key. This key encrypts the credentials for the E-mail Router, an optional component of Microsoft Dynamics CRM.
  

CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.

Microsoft Dynamics CRM records encryption-key events in the Application log. By Using the Event Viewer, you can filter on the Source column and look for MSCRMKeyServiceName entries, where ServiceName is the key management service such as MSCRMKeyArchiveManager or MSCRMKeyGenerator.

Cryptographic keys are stored in the Microsoft Dynamics CRM configuration database (MSCRM_CONFIG).

By default, encryption keys are not stored in the configuration database in an encrypted format. We strongly recommend that you specify encryption when you run Setup.

Before you run Microsoft Dynamics CRM Setup, you can add the entry in the XML configuration file, and then run Microsoft Dynamics CRM Server Setup at the command prompt. During the installation, Setup creates a server master key and database master key, which are used to encrypt Microsoft Dynamics CRM certificates.

For detailed instructions about how to install Microsoft Dynamics CRM at the command prompt and how to encrypt the Microsoft Dynamics CRM keys, see "Use the Command Prompt to install Microsoft Dynamics CRM" in the Installing Guide.

Multi-organization deployment

There are several names that cannot be used to name an organization. To view a list of reserved names, open the dbo.ReservedNames table in the MSCRM_CONFIG database, and notice the names in the ReservedName column.

For more information about organization management in Microsoft Dynamics CRM, see the Deployment Manager Help.

Advanced deployment options for Microsoft Dynamics CRM for Outlook

The Microsoft Dynamics CRM for Outlook installation is completed by performing two steps. First, run Setup, which installs the files that are required on the computer. Then, run the Client Configuration Wizard.

There are two versions of Microsoft Dynamics CRM for Outlook:

• 
  Microsoft Dynamics CRM for Outlook. Install this on workstations (including computers that are shared by several users) that do not go offline and have a connection to the local area network (LAN) or to the Internet. If a computer is being shared by several users (that is, each user has a logon and is a valid Microsoft Dynamics CRM user), you install Microsoft Dynamics CRM for Outlook one time, and then run the Client Configuration Wizard to configure each user.
  

If a user does not require offline capabilities, for improved performance we recommend that you install Microsoft Dynamics CRM for Outlook instead of Microsoft Dynamics CRM for Outlook with Offline Access.

• 
  Microsoft Dynamics CRM for Outlook with Offline Access. Install this on computers that go offline. Salespeople who require offline support for sales force automation data while they work in the field have access to their customer data by using laptops.
  

Deploy Microsoft Dynamics CRM for Outlook by using deployment management software

Deploy Microsoft Dynamics CRM for Outlook by using Group Policy

You must run the Microsoft Dynamics CRM for Outlook Setup program (SetupClient.exe) by using the administrative installation option to create an MSI package (CRMClient.msi) for Group Policy deployment. You cannot use the MSI package (Client.msi) that is included with the Microsoft Dynamics CRM for Outlook installation files to deploy by using Group Policy. For information about how to perform an administrative installation, see "Install Microsoft Dynamics CRM for Outlook" in the Microsoft Dynamics CRM Installing Guide.

Preparing Microsoft Dynamics CRM for Outlook for a Group Policy deployment

• 
  To create the CRMClient.msi file, follow these steps:
  

1. 
   Determine the distribution point and copy the MSI package in that location.
   

• 
  Run SetupClient.exe at the command prompt by using the /A and /targetdir parameters. The /A parameter specifies an administrative installation, and /targetdir specifies the target directory. After Setup is complete, you can share the location. For more information, see "Use the Command Prompt to install Microsoft Dynamics CRM" in the Microsoft Dynamics CRM Installing Guide.
  
• 
  Consider using Microsoft Distributed File System (DFS) and File Replication Service (FRS) to help improve the security and availability of your distribution points. For more information about DFS, FRS, and how to deploy Microsoft file server technologies, refer to your operating system documentation. We recommend that you understand those features before you configure your distribution point servers.
  

2. 
   Create the Group Policy object (GPO) and target the application to Microsoft Dynamics CRM Users. To do this, follow these steps:
   

1. 
   On a domain controller in the domain where Microsoft Dynamics CRM is installed, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
   

You may have to download and install the Group Policy Management Console (GPMC) with SP1 snap-in. For more information, see Internet Security and Acceleration Server (http://go.microsoft.com/fwlink/?linkid=102704).

2. 
   In Active Directory Users and Computers, right-click the domain, and then click Properties.
   
3. 
   In the Properties box, click the Group Policy tab, and then click Open.
   
4. 
   In Group Policy Management, right-click the domain, click Create and Link a GPO Here, type a name for the Group Policy object, such as Microsoft Dynamics CRM Users, and the click OK.
   
5. 
   Creating a GPO at the domain level configures the GPO with domain-wide scope.
   
6. 
   Right-click the GPO that you created in the previous step, and then click Edit.
   
7. 
   In Group Policy Object Editor, expand User Configuration, and then expand Software Settings.
   
8. 
   Right-click Software Installation, point to New, and then click Package.
   
9. 
   Type the full path or locate the Microsoft Dynamics CRM for Outlook MSI package (CRMClient.msi) that was created by the administrative installation, and then click Open.
   

Users must have Read access to this path.

10. 
    Click Publish to publish the Microsoft Dynamics CRM for Outlook application, and then click OK.
    
11. 
    By default, Microsoft Dynamics CRM for Outlook is available in Add or Remove Programs for all authenticated users the next time that they log on to the domain. To limit the scope to a specific OU, Group, or individual User, in Group Policy Management, click the GPO named Microsoft Dynamics CRM Users, and then add or remove the security objects that you want, such as a group, in the Security Filtering area of the publication on the Scope tab.
    

When you publish an application by using GPO deployment, it is made for users to install by using Add or Remove Programs in Windows Control Panel. Assigned applications are installed when a user logs on to the domain.

Microsoft Dynamics CRM for Outlook does not support application assignment through GPO installation. For more information about publishing versus assigning software, see the Group Policy deployment documentation for your operating system.

----------------------- Send Feedback About This Chapter ----------------------

We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.

The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback.