Publishing CRM SBE
via ISA 2004
by Andy Goodman [SBS-MVP]
So you followed my instructions and you have a functional CRMsbe installation, if not see the troubleshooting article before proceeding. So now you want to enable SSL so the transactions are more secure. Well you've come to the right place :>), but let me emphasize these instructions are for CRM 3.0 Small Business Edition with ISA 2004 only, and may only work if you did the integrated install (the first choice when installing). They have not been tested if you did the manual install (the second choice) as outlined on the Magical M&M's Site or you don't have ISA 2004.
I would like to send out a
very big Thank You
to Marcelo Sauaf of Brazil
who finally figured out how to get this to work without
consistently be prompted for credentials.
Here are the topics in this
article if you want to jump to a specific area
Add a Web Listener
Publish the CRM web site to the
Internet
Access the CRM web site from the
Internet
Lets get the CRM 3.0 SBE website published.
First open up the ISA Console.
We need to add a Web Listener for our new SSL port.
Click on Firewall Policy
Click on the Toolbox
Click on Network Objects
Right click on Web Listeners
Select New Web Listener
Give it a distinctive name
Set it to listen to the External network
Uncheck Enable HTTP
Check Enable SSL
set the port to 446 (or whatever port you decide to use)
Now we need to select the correct certificate to use.
You want the one you created when you ran the CEICW (connect to the
internet wizard) when you setup SBS
Sorry for the clutter in the screenshot, yours will be much
clearer
Select it and click OK
Once all the info is entered, click Next
We get the obligatory summary screen, if it looks right, click Finish
Now remember this is ISA 2004 Finish doesn't really mean
finish
We still need to click Apply.
The wizard will restart the firewall service and show you it's progress
When it finishes, it will tell you the changes were applied.
Next we need to actually publish the CRM web site.
Still in the ISA console, click the Tasks tab in the task
pane on the right.
Click on Publish a Secure Web Server
Give your publishing rule a catchy name
We want to bridge to IIS not tunnel
Your new rule needs to Allow access
We only want to secure the traffic from the Internet, we do
not need to
secure the internal traffic. If you try to secure all the traffic you will get
prompted for credentials every time you click anything in CRM.
We need to use our internal web server address here.
Mine is 192.168.160.2 yours is probably 192.168.16.2 if you took the
defaults when you did the SBS installation.
Now enter your public name, make
sure you have an "A" Record listed for
this with your ISP.
Next we tell it to use the Web Listener we created earlier
And the default of All Users is probably ok
We are presented with the summary screen, if it looks ok, click Finish
But wait we are not finished yet
Click Apply, you could skip this step and go on until you
are finished,
but just like saving often in word, it is just a good idea to apply as you go.
Right click on our new rule and select Properties, or just double click on it
Click on the To tab
Make sure the Forward the original host header is checked.
Set the Proxy request option to Requests appear to come from the original
client.
Next click the Traffic tab
Check the Require 128-bit encryption for HTTPS traffic check box
Now click the Bridging tab
Check the Redirect requests to HTTP port check box and enter 5555
or whatever port you installed CRM onto.
Make sure to uncheck the Redirect requests to SSL port check box
Now we need to click that Apply button again to make our final changes stick
And hopefully we get the all ok from the wizard.
One more little thing I will remind you of, because it
tripped me up for over an hour on the second site I did.
I seem to have a memory like a rock lately.
If you have a firewall/router in front of your SBS box
Remember to OPEN PORT 446
Now all you have to do is goto
https://YourPublicAddress:446 from a
machine outside the lan
When you get the security warning you need to
INSTALL
the Certificate
If you are using IE 7 you will be prompted to close the window, say yes
And if all went well, you should be in the CRM window just like you were on the lan.
This is the process that worked for me to allow outside
access to the CRM Web Site on SBS 2003 with ISA 2004
You results may vary depending on your configuration.
I can only tell you what worked for me and wish you luck,
hopefully Microsoft
will publish a supported process soon,
but I have not been able to get anyone to confirm that.
