Single URL for internal and external CRM access when using IFD

Similar Messages

• Use Same URL for Internal and External Access for CRM 2015 IFD

  I have setup a CRM2015 server for IFD access.
  ADFS and CRM are on separate servers.
  CRM server all roles
  ADFS 2.0 server.
  Using the internal URL I am able to access CRM without entering my details (as expected)
  Using the external URL I am authenticated by ADFS as expected and can sign in.
  We have an internal domain domain.local
  We have an external domain domain.com (the certificate is for *.domain.com)
  We have a DNS zone created internally for domain.com.
  CRM URLs
  internal : internalcrm.domain.com
  External : externalcrm.domain.com
  I would like all users to use the same link regardless of them being internal or external, but I would like so that any user who is on the domain is automatically logged in without entering their username and
  password. What is the best way to do this?
  I have tried creating a cname record on the internal domain.com zone pointing externalcrm.domain.com to internalcrm.domain.com but that didn't work, I still get the ADFS sign in page.
  Thanks

  So fair warning, what you're asking for isn't really a supported deployment method of CRM.
  That said, you should be able to do some DNS trickery internal to your network that points your "crm.domain.com" to "crm.domain.local" and then hopefully CRM will treat the connection as if it came from an internal network.
  Otherwise, you're likely going to have to accept that everyone gets the ADFS login page internal and external to your network.
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• Exchange certificates and services setup for internal and external clients access on separate domains.

  I have the following on my local network.
  Server DomainA -> Small Business server 2003/Exchange 2003
  Server DomainB -> Windows 2008 R2/Exchange 2013
  Clients Domain A ->  Windows XP/Outlook 2003
  Clients Domain B -> Windows 7/Outlook 2007/2010
  Problem:  I want clients from DomainA to log into Exchange on DomainB on the same local network.
  I need to know how to setup the DNS on both domains and the certificates on the DomainB Exchange server
  to accept the connection from the PC on domainA.   All connections from clients on domainB to server on domainB
  work correctly but when adding accounts to Outlook 2003/2007 on domainA clients I am getting certificate errors.
  I have purchased certificates for mail.domainb.com and autodiscover.domainb.com but I dont know how to get 
  the clients on domainA to recognize those external URL's of the exchange server (with the certificates bound to them) from the internal network. Hence I get domain errors.
  I am getting issues when a client on DomainA tries to add an Outlook mail profile to connect to the Exchange on DomainB
  Any suggestions on how to set this up?
  thanks

  Domain A & Domain B are two separate AD Forests?
  Users in Domain A either need mailbox-enabled user accounts that are in DomainB or a linked mailbox in Domain B to utilise the Exchange Server in DomainB. In either case with the help of the autodiscover service user can use the services in ExchangeB. 
  If the client machines are member of domainA and you are trying to access ExchangeB you will then need to leverage a custom XML file for autodiscover and force the Outlook client to use this file. 
  <?xml version="1.0" encoding="utf-8"?> 
  <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> 
    <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> 
      <Account> 
        <AccountType>email</AccountType> 
        <Action>redirectUrl</Action> 
        <RedirectUrl>https://autodiscover.domain.com/autodiscover/autodiscover.xml</RedirectUrl> 
      </Account> 
    </Response> 
  </Autodiscover>
  Then you need to configure the client machine to query that XML file by adding the following registry key:
  Refer to XML file
  for Outlook 2007:
  HKCU\Software\Microsoft\Office\12.0\Outlook\Autodiscover
  for Outlook 2010:
  HKCU\Software\Microsoft\Office\14.0\Outlook\Autodiscover
  STRING_value <your_namespace> = path to XML file
  you can find more information in the following link.
  Controlling Outlook Autodiscover behavior
  http://blogs.technet.com/b/kristinw/archive/2013/04/19/controlling-outlook-autodiscover-behavior.aspx
  CK

• Non-Web Server Publishing Rule for Internal and External

  Hi there,
  I have a problem with my TMG and publishing SSH for Internal and External users to an internal Server.
  Network:
  Internal Network
  SSH Server, 10.10.10.25
  Internal DNS record "ssh.domain.com" pointing to 10.10.10.254
  TMG Server, 10.10.10.254/192.168.0.254
  External Network
  External DNS record "ssh.domain.com pointing to 192.168.0.254
  I want my users (internal AND external) using their SSH client to connect to ssh.domain.com and TMG to forward the request to the SSH server. Note that internal clients and the SSH server are in the same network.
  I have created a custom "SSH Server" protocol with inbound TCP for port 22 and created a Non-Web Server publishing rule.
  Traffic Tab: SSH Server Protocol
  From Tab: Internal, External
  To Tab: 10.10.10.25, original client
  Networks Tabs: Internal, External
  External users cann connect without a problem, all fine here. Internal users get a timout. The TMG Log says: Denied Connection (Default Rule,
  The policy rules do not allow the user request) and doesn´t recognize this is an inbound request. The log gives me dest IP 10.10.10.254 and protocol SSH and not 10.10.10.25 and SSH Server.
  I read a lot of networking rules and NAT/Routing, tried a bit but never got a success.
  Can you help me fix or working around this and tell me whats going on there and if there a limitations in TMG I don´t know yet?
  Regards,
  Sascha

  Hi,
  According to your description, it seems that request was denied by the TMG rules so the request from the internal users
  could not be forwarded to the SSH server. I would appreciate it if you can post the logs to us and the results of running ipconfig/all on the TMG server.
  In addition, maybe you can change the firewall policy only from
  External and add another firewall policy for the internal user to see if the issue persists.
  More information:
  Creating and using a server protocol
  TMG
  Back to Basics - Part 1: Server Publishing Rules
  Best regards,
  Susie

• Exchange 2013 DNS for internal and external domain

  Hi All,
  I have been assigned a task to implement Microsoft Exchange Server 2013. I need some help in setting up DNS namespaces and design a strategy to have same internal and external names. Let me share some details here.
  We have an Active Directory domain myinternaldomain.net, and we have a public domain
  mypublicdomain.com and we have setup email policy to have
  mypublicdomain.com as the SMTP domain for all the users. We have created another DNS zone in Active directory integrated DNS and created a records for
  mail.mypublicdomain.com and autodiscover.mypublicdomain.com which will point to CAS NLB IP. We have 2 CAS servers and 2 MBX servers, we have configured DAG for MBX High availability and planning to implement WNLB for CAS as
  hardware LB is out of scope due to budget constrains.
  We want to have same URLs for OWA, Autodiscover, ECP and other services from internal network as well as from public network. Users should not be bothered to remember two URLs, using one from internal and other from public networks. I also want to confirm
  that with this setup in place do i need to have myinternaldomain.net and server names in SAN certificate?
  Thanks

  Hi Sccmnb,
  You can easily achieve this using split DNS.
  Internal DNS hostname "mail.mypublicdomain.com" will be pointing to your internal CAS NLB IP and the external public DNS hostname"mail.mypublicdomain.com" will be pointing to the Network device or
  Reverse proxy server IP.
  Depending upon users access location(internal\external) the IPs would vary and they should be able to access the website with same name.
  The names that you would require on the certificate(Use EAC or powershell to raise the request) for client connectivity would be
  SN= mail.mypublicdomain.com
  SAN= autodiscover.mypublicdomain.com
  You don't need to have the active directory domain name present in the certificate.
  Additional  to this you need to update the AutodiscoverURI for all servers and OWA,ECP,Autodiscover Virtual Directories InternalURL and ExternalURL fields with appropiate public names.
  Some additional Info:
  *Internal vs. External Namespaces
  Since the release of Exchange 2007, the recommendation is to deploy a split-brain DNS infrastructure for the Internet-based client namespaces. A split-brain DNS infrastructure enables different IP addresses to be returned for a given namespace
  based on where the client resides – if the client is within the internal network, the IP address of the internal load balancer is returned; if the client is external, the IP address of the external gateway/firewall is returned.
  This approach simplifies the end-user experience – users only have to know a single namespace (e.g., mail.contoso.com) to access their data, regardless of where they are connecting. A split-brain DNS infrastructure, also simplifies the configuration of Client
  Access server virtual directories, as the InternalURL and ExternalURL values within the environment can be the same value.
  *Managing Certificates in Exchange Server 2013 (Part 2)
  *Nice step by step article
  Designing a simple namespace for Exchange 2013
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Different MOH for Internal and External Calls

  Is it possible to have a different MOH source for internal vs external calls.
  I know that Network MOH is for transfering but can this be used for external MOH source from the PSTN?

  There's really no way to do this easily. The issue is that the call to a PSTN phone would flow through a gateway and if an IP phone put this call on hold, then the Audio Source configured on the IP phone would determine the MoH file/source and the MRGL of the gateway would determine which MoH server it actually came from. As a result, there's really no way that the IP phone placing the call on hold could specify a different audio source for an internal call (to another IP phone) because even if the other phone has a different MRGL (and therefore a different MoH server), the MoH audio source will be the same

• Reverse proxy for internal and external

  Hello,
  BM1 is our main BM3.9 Box. I have reverse proxy configured for webaccess and to release emails from our spam filter externally (this works). This BM server also is our external DNS, and our default route for Internet traffic.
  Another BM box is our internal DNS.
  I need to modify BM1 config to enable client internally to release emails from our spam filtering software. The error issued is 504 Gateway timeout.
  Do I just add the internal ip address to the BM1 accelerator entry meaning that the same accel will listen for both internal and external addresses ?
  Any help is appreciated
  Regards
  Brian

  bdavis97,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Disk Privileges for internal and external drive

  Hello, I have a Time Capsule and external HD attached to it. I want to share the space on external drive with all users on Time Capsule network and at the same time I want to be the only one who can access the internal TC disk. I don't know how to set password separately for the internal drive. Can anybody help me?

  you can't; try using accounts although I don't like the function of accounts.

• Capacity evaluation for internal and external workers in one work center

  Hi ,
  Normally in all Industries you have internal manpower to execute work. Say I have a work center named "Mechanical" , I will have 5 people working 8 Hrs for 5 days in a week. We usually configure this in capacity tab of work center for capacity category "002-Labour".  In scheduling tab we configure sceduling data for a capacity category "002-labour"
  In many industries , depending on load, many time, external labours are hired to give assistance to internal workers. Technically it is like adding one more capacity category "PER-Person" and adding number external labours there and in scheduling tab adding required configuration for "PER" capacity category
  Total capacity for any given day would be available capacity in capacity category -002 + available capacity in PER capacity category.
  However in scheduling Tab , scheduling basis can be either 002/PER.
  How can we add more scheduling basis to refer to more than one capacity category ?
  Any other alternative to above problem statement?

  let us say, you have a work "Pump repair" which is done partly by internal workers say 2 people and 1 external labour. Let us assume the number of people in 002-labour is 2 (internal ) and  capacity in capacity category (PER) which is external work center is 3 (Total 5 ).
  Now if I I leave scheduling basis as blank, then system will calculate scheduling based on 002 capacity category as it is "Major" . But I want system to consider both 002 and +PER .
  You are suggesting two line items "Pump Repair internal" and give 2 numbers and duration as 8  control key PM01 . Create another operation "Pump repair External" use control key PM02 (where in scheduling is enabled)  where 1 number - 8 Hrs duration is maintained with another work center.
  If I maintain 2 different work centers and two different operations, this will work. But for customer this is just one work and capacity evaluation should be based on capacity category 002 and PER .
  How to solve this by maintaining one work center , two capacity categories in same work center  and maintaining one control key PM01 in operation?

• Parallel MRP run for Internally and Externally procured materials

  Hello all,
  we want to run MRP with different settings for externally procured materials (create purchase Requisition) and internally produced materials. The choices provided my MRP run is either create planed order or Requisitions when run background. Is the activation of user exit M61X0001 the solution to this issue?  I can recall that we had done this is some project in the past, not 100% sure to be sincere. Can anyone help on this?
  Thank you for any help.
  Edited by: Ioannis Salichos on Aug 11, 2010 11:51 PM
  Edited by: Ioannis Salichos on Aug 11, 2010 11:57 PM

  you are right, this is the user exit that can be used to control this.
  see an excellent "how to use"  from R Brahmankar
  in this thread:
  Re: mass MRP run

• Semifin Production for internal AND external customers

  One of our plants produces semifin goods that are then transferred via Stock Transport Orders to other plants that finish them up.
  That plant would like to be able to also sell these same materials to outside customers. Normally, we would use PIRs for that purpose, however, these materials are all set up as dependent requirements, to be produced against STOs entered at the other plants.
  How could we create some additional requirements for production for external customers? Right now we have been using a defunct plant and created STOs from there, but it doesn't really work, especially the billing side of it. We considered creating a Sales Order Type that can be entered ahead of time to produce against. I don't know much about the S&D side, and the dude that tried that finally gave up.
  Is there an easier solution that would take care of this situation?
  Thanks,
  MMPP

  This sounds strange. STOs - independently from planning startegy - are present as requirements in standard system.
  Perhaps in your standard system. Our standard system for FG production is set up as MTS strategy 11, and no, STO's are not taken into account there, as strange as it sounds.
  If you use planning strategy 40 you can work with PIRs, SOs, STOs paralelly. You can even achieve to force STOs to behave as SOs (I mean to consume PIRs based on master data settings) in this strategy.
  Stock transport orders in planning strategy 40 - consume PIR
  Yes, but I can not use strategy 40. Like I mentioned, we deal with perishable goods, and can not make existing stock part of the MRP calculation.
  In my opinion you should revise your way of thinking / current pratice since you would gain more profit if you applied standard scenarios instead of force something that cannot be defined exactly.
  I am sorry that our situation is different from what you define as your standard scenario.
  I mean if your SFGs are considered as FGs (because you sell them to external customers) you should handle them accordingly.
  It is probably a bit difficult to understand. But these are semifinished goods that we want to sell to outside customers (who might treat them as raw materials). Not everything in this world can be clearly divided into three categories. Again, I apologize that our situation doesn't conform to what you consider standard.
  Why do you want to work only with DepReqs? I cannot understand this...
  98% of what that plant will produce are DepReqs = semifinished goods to fulfill STOs from other plants. Does that explain it somewhat?
  As I said you should handle the materials as they are handled in reality.
  I appreciate your reply... it's a good answer, just not to my question.

• Separate cert for internal and external exchange 2013

  Here is a Microsoft TechNet article that will give you some background: http://social.technet.microsoft.com/wiki/contents/articles/17974.active-directory-domain-naming-cons...
  This article gives you more info: https://technet.microsoft.com/en-us/library/cc781575(v=ws.10).aspx
  It also links to the following tool: http://go.microsoft.com/fwlink/?linkid=5585
  I've never used it or attempted a domain rename myself, so can't really help other than saying it's time to Google. :)

  every time outlook starts up the security message pops up saying Tiger.domain.local does not match anything on the SSL cert (from global sign).
  so i changed it back to the default one and its all working fine, however outside connection are now using the local cert.
  is it possible to have the outlook (local) use the non SSL Cert that the server made. and then for the outside connection use the SSl from global sign
  This topic first appeared in the Spiceworks Community

• CWMS 2.0MR7 intermittent dead air on call-in and call-back for internal and external users

  Hello,
  I have got a new install of CWMS 2.0MR7 800 users non HA system. During initial testing we noticed that when we call-in or call-back there was a dead air even though the call is connected we don't hear welcome to WebEx....when we hang up and call again it works fine and we hear welcome to WebEx so the issue is intermittent. CUCM version is 8.6
  Can someone please advise how do we go about troubleshooting something like this when the issue is so intermittent?
  Thanks

  Hi,
  Please check the following:
  1. Please check if you are on supported hardware and that no co-resident VMs exist:
  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_0/Planning_Guide/Planning_Guide_chapter_01011.html#reference_249B138B71324D19B09141D3849EC058
  2. Check if you have any snapshots on any of the virtual machines for the system. If you have captured any snapshots before an upgrade, make sure that you delete them within 24 hours as they cause degradation of system performance and are known to cause audio quality issues.
  3. Please check your network bandwidth for these requirements:
  http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_5/Planning_Guide/Planning_Guide_chapter_01.html#reference_267DB686BB224EB7A49DE4C783C912E6
  If you still face the problem, please open a TAC case to troubleshoot the issue further. We will be able to get detailed logs and sniffers to find the cause of the issue.
  Thanks,
  Jyothi

• How to configure AD on windows 2012 server for Exchange 2013 internal and external email flow

  Dear Experts,
  I have to configure exchange 2013 on Windows server 2012 STD. Company has registered Static IP addresses and can get the MX record pointing to any of this Static IP.  
  The registered domain name is e.g.  contoso.com. 
  a. What should I use as domain name on AD? contoso.com or contoso.local
  b. Is it recommended to have two different servers  for AD and Exchange?
  c. What should be my connector settings for mail flow?
  d. how can I set 2 email servers in company for load balancing?

  Hi,
  a, I suggest use contoso.com as domain name. It is convenient to add urls into our certificate for internal and external mail flow.
  b, Recommended that installing AD
  and Exchange Server on two separate
  Servers. If Exchange Server downed unfortunately, it can prevent AD server from crushing at the same time.
  c, Found some articles for your reference:
  Configure Mail Flow and Client Access
  http://technet.microsoft.com/en-us/library/jj218640(v=exchg.150).aspx
  Configuring Outbound Mail Flow in Exchange Server 2013
  http://exchangeserverpro.com/configuring-outbound-mail-flow-in-exchange-server-2013/
  d, Load Balancing
  http://technet.microsoft.com/en-us/library/jj898588(v=exchg.150).aspx
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Best practises regarding Internal and External access to SIM

  Currently we have two separate Active Directories one internal and one in the DMZ and plan to have one SIM on an segmented network allowing access for our internal users directly to SIM UI and external users thru portlets that talks to SIM.
  The external AD hosts some internal users that also needs access to the DMZ applications so we can save efforts in managing to separate SIM environments in development, tests, upgrades, unique UID etc...
  What are the best practices on the market is this a preferred choice with only one SIM or with one SIM internally and one SIM in DMZ hosting suppliers, customers etc?
  With a single SIM environment are you allowing internal users accessing SIM from Internet to change internal AD password or have you restricted the functionality in some way for internal users accessing SIM from internet?
  How about challenge response questions are you allowing users to have the same both internally and externally or setup different for different user interfaces?
  Anyone willing to share how your environment is setup for internal and external access?

  Yes for handling the access to the SIM we probably need to look into some kind of access management solution to get it to work in a secure way.
  The question is a bit complex with many different factors controlling the outcome of the SIM implementation, but I hope to get some idées with this thread of how we can solve it.
  The question still remains if its common to have one or to SIM's and what internal users is allowed to do in SIM from Internet.
  Ex are internal users allowed to change their password in internal Active Directory thru SIM from Internet or what have others done to limit the functionality?