Architecture

[Pages:12]Architecture

Connectivity and Firewall Port Requirements for Microsoft Dynamics CRM 2011

White Paper

Published: October 2012 Updated: September 2013

Feedback

To send comments or suggestions about this document, please click the following link and type your feedback in the message body:

Important: The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback.

Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your people to make business decisions with greater confidence. Microsoft Dynamics works like and with familiar Microsoft software, automating and streamlining financial, customer relationship and supply chain processes in a way that helps you drive business success.

U.S. and Canada Toll Free 1-888-477-7989 Worldwide +1-701-281-6500 dynamics

Legal Notice This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes.

? 2013 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Excel, Hyper-V, Internet Explorer, Microsoft Dynamics, Microsoft Dynamics logo, MSDN, Outlook, Notepad, SharePoint, Silverlight, Visual C++, Windows, Windows Azure, Windows Live, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

2 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

SEPTEMBER 2013

Table of Contents

Overview.................................................................................................................... 4 On Premise with Integrated Windows Authentication ..................................................... 4 On Premise with Claims-Based Authentication .............................................................. 5

Default CRM Connectivity Requirements.......................................................................... 6 Port Recommendations................................................................................................. 8

Network ports for the Microsoft Dynamics CRM Web application ...................................... 8 Network ports for the Asynchronous Service, Web Application Server, and Sandbox Processing Service server roles................................................................................... 9 Network ports that are used by the SQL Server that runs the Microsoft Dynamics CRM Reporting Extensions server roles ............................................................................... 9 Connectivity Requirements for Windows Services ............................................................. 9 Connectivity Requirements for Integrated Windows Authentication ................................... 10 Mail Server Connectivity Requirements ......................................................................... 11 Appendix A: Resources ............................................................................................... 12

SEPTEMBER 2013

3 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

Overview

Many data centers include firewalls between the end users and the servers and other integrated systems that support an implementation of Microsoft Dynamics CRM 2011. This document is designed to provide guidance on the connectivity requirements between Microsoft Dynamics CRM 2011 and other systems to assist readers with proper firewall configuration in customer environments.

On-Premises with Integrated Windows Authentication

An overview of an on-premises implementation that uses Integrated Windows Authentication (IWA) is shown in the following diagram.

On-Premise CRM Solution with Windows Integrated Authentication

CRM Users

HTTP(S) CRM Server(s)

AD Authentication

AD Server(s)

Only required for SQL Filtered View access to provide Dynamic excel Export / pivot tables etc.

AD Authentication

Only required for Server side

Email integration

SQL Access

CRM SQL Server(s)

Only required with the CRM Outlook Client

Exchange Server

In this scenario the user must have a certain level of connectivity to the CRM Server(s), the Active Directory Server(s) and the SQL Server for SQL Filtered View access (if Export to Excel functionality is required). The remainder of this document focuses primarily on this scenario and details the required level of connectivity between these various components as well as further options for integration, Citrix implication, and so on.

4 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

SEPTEMBER 2013

On-Premises with Claims-Based Authentication

An overview of an on-premises implementation that uses claims-based authentication is shown in the following diagram using Active Directory Federation Service (ADFS) as the Security Token Service (STS).

On-Premise CRM Solution with Claims-Based Authentication

CRM Users

HTTPS

HTTPS

HTTPS

ADFS

CRM Server SQL

Only required for Server side

Email integration

AD Server

CRM SQL Server

Only required with the CRM Outlook Client

AD Access

Exchange Server

With claims-based authentication, the Microsoft Dynamics CRM site is accessed anonymously and is then redirected to ADFS. Users enter their credentials, which are validated by ADFS by contacting Active Directory Directory Services (AD-DS). Finally, AFDS issues a SAML token containing the necessary claims for accessing Microsoft Dynamics CRM.

SEPTEMBER 2013

5 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

Default CRM Connectivity Requirements

An overview of the default connectivity requirements for an on-premises deployment of Microsoft Dynamics CRM 2011 is shown in the following graphic:

AD Replication Dependent on approach

See options in section below

AD Servers (CRM User Domains)

AD Server (CRM Server Domain)

AD Authentication

TCP: 25 (SMTP) TCP: (POP3/IMAP/Etc.)

AD Authentication

TCP: 25 (SMTP)

Corporate Exchange Infrastructure

TCP: 110 (POP3)

TCP: 80 (Exchange: HTTP-DAV))

(Exchange: EWS)

CRM Exchange Router

TCP: 80 (443 for SSL)

SRS Service SRS Web Site

TCP: 80 (HTTP) TCP: 443 (SSL)

TCP: 80 (HTTP) TCP: 443 (SSL)

SQL Server

TCP: 1433 (SQL) TCP: 445 (microsoft-ds) UDP: 445 (microsoft-ds)

AD Authentication TCP: 1433 (SQL)

TCP : 445 (microsoft-ds) UDP: 445 (microsoft-ds)

Server AD Authentication

CRM Server (Application Role Group:

Application Server; Help Server; SDK Server)

TCP: 80 (443 for SSL)

Exchange Connectivity

(Outlook Clients Only)

Custom aspx & plugin's TCP: 80 (443 for SSL)

User AD Authentication

CRM Server (Platform Role Group: Asynchronous Processing Service; Deployment Service; Discovery Service; SDK Server)

TCP: 80 (443 for SSL)

Only required for SQL Filtered View access to provide Dynamic excel Export / pivot tables etc.

AD Authentication

TCP: 80 (443 for SSL)

Client Machine: IE / Outlook Online Client

In addition all Servers require the following: DNS name resolution on UDP/TCP: 53 NetBIOS name resolution on TCP: 139, UDP: 137/138 NTP time synchronisation: 123 ? this is a requirement for Kerberos Authentication DCOM and RPC: TCP 135, UDP 1025

Note. Arrow direction depicts source and target of initiating request rather than direction of data flow

Important: Because this diagram is focused on Microsoft Dynamics CRM connectivity requirements, full details about the specific port requirements for Microsoft Exchange Server and the Microsoft Windows Active Directory service are not shown. Additional information and links to related articles about these technologies and their specific requirements are provided in the following sections of this document.

6

CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

SEPTEMBER 2013

The default connectivity requirements for components of an on-premises deployment of Microsoft Dynamics CRM 2011 are shown in the following table.

Component CRM Server

Default Connectivity Requirements

AD Connectivity from Microsoft Dynamics CRM Servers RDP Connection to all Servers recommended SQL Server access SQL Reporting Services access

Exchange Router

Exchange Server Connectivity (HTTP DAV / EWS / SMTP) Other Mail Server Connectivity (POP3/SMTP) Optional Connectivity to a Microsoft Dynamics CRM Sink Mailbox HTTP / HTTPS access to CRM Servers / Network Load Balancer AD Authentication

Client

Outlook Connectivity to Exchange Optional Connectivity to SQL Server for views HTTP / HTTPS access to CRM Servers / Network Load Balancer AD Authentication

ALL

DNS name resolution where applicable on UDP/TCP: 53 NetBIOS name resolution where applicable on TCP: 139, UDP: 137/138 NTP: Required on all Servers to Sync Network Time UDP: 123 ? this is a

requirement for Kerberos Authentication

DCOM and RPC: Required on all Servers. TCP 135, UDP 1025

Important: In each case, the port numbers can be configured to run under alternative (nondefault) values, so environments will vary.

SEPTEMBER 2013

7 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

Port Recommendations

Network ports for the Microsoft Dynamics CRM web application

The following table lists the ports used for a server that is running a Full Server installation of Microsoft Dynamics CRM. Moreover, except for the Microsoft SQL Server role, and the Microsoft Dynamics CRM Connector for SQL Server Reporting Services server role, all server roles are installed on the same computer.

Protocol Port

TCP

80

TCP

135

TCP

139

TCP

443

TCP

445

UDP

123

UDP

137

UDP

138

UDP

445

UDP 1025

Description HTTP

MSRPC NETBIOS-SSN

HTTPS

Microsoft-DS NTP

NETBIOS-NS NETBIOS-dgm Microsoft-DS

Blackjack

Explanation Default web application port; may be different as it can be changed during Microsoft Dynamics CRM Setup. For new websites, the default port number is 5555. RPC endpoint resolution NETBIOS session service Default secure HTTP port. The port number may differ from the default port. This secure network transport must be manually configured. Though this port is not required to run Microsoft Dynamics CRM, we strongly recommend it. For information about how to configure HTTPS for Microsoft Dynamics CRM, see "Make Microsoft Dynamics CRM client-to-server network communications more secure" in Post-Installation and Configuration Guidelines in the Installing Guide. Active Directory directory service required for Active Directory access and authentication. Network Time Protocol NETBIOS name service NETBIOS datagram service Active Directory directory service required for Active Directory access and authentication DCOM, used as an RPC listener

Important: Depending on the domain trust configuration, additional network ports may be required for Microsoft Dynamics CRM to work correctly. For more detail, see Knowledge Base article ID 179442, How to configure a firewall for domains and trusts.

8 CONNECTIVITY AND FIREWALL PORT REQUIREMENTS FOR MICROSOFT DYNAMICS CRM 2011

SEPTEMBER 2013

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download