1

For previous CRM IFDs I have placed the CRM Front End server in the DMZ along with an ADFS Proxy and allowed access from the Domain Controller to the CRM Front End through the firewall.

This is obviously a security vulnerability. For a new install on Windows Server 2012 R2 I was wondering the following:

My question is would the use of the new Windows Server Web Application Proxy (WAP) that acts as both an ADFS Proxy and reverse web proxy allow access to the CRM Front End if the WAP was in the DMZ and the Front end was behind the firewall?

Additionally does the WAP server need to be domain joined? (This is the reason we had to tunnel through the firewall in the first instance).

From this documentation: http://technet.microsoft.com/en-us/library/dn383650.aspx it would appear the answer is that this approach would work however I've not had any experience of using the WAP before.

Arun Vinoth - MVP
  • 314
  • 1
  • 3
  • 15
Underscore
  • 113
  • 2

1 Answers1

1

Yes, uou can deploy WAP in the DMZ and your application (CRM) inside the network, you just need to make sure that the WAP server can contact the application and the ADFS server behind the firewall.

There is no need to make the WAP domain joined if you are not planning on using Kerberos Constrained Delegation for backend SSO.

vainolo
  • 170
  • 7