Wednesday, 18 September 2013

Microsoft Dynamics CRM 2011 Deployment Architecture

The architecture for hosting Microsoft Dynamics CRM 2011 is based on a three-tiered, four-zone approach, where the tiers define various levels of scale, and the zones illustrate the use of network segmentation to reduce the attack surface and secure data access. This design is based upon published Microsoft TechNet documentation related to “Best Practices” for secure MS Dynamics CRM 2011 Deployment.
The zones referenced in Microsoft Dynamics CRM 2011 are as follows:
Zone 0 – “Boundary”
  • The area of the network that is closest to the End User or Intranet.
  • For Microsoft Dynamics CRM 2011, none of its servers resides in this zone.
Ports required between Zones 0-1
TCP 80 HTTP Default Web application port.
TCP 8080 HTTP SharePoint Administration
TCP 3389 RDP Remote Desktop Support
UDP 53 DNS DNS messages are sent from DNS clients to DNS servers or between DNS servers. Messages are sent over UDP and DNS servers bind to UDP port 53
Zone 1 – “Edge”
  • This zone contains those servers and services that provide first-level authentication, application proxy services, and load balancing across Zone 1 servers and services.
  • No domain membership with the Zone 3 Active Directory directory service and no direct connection to servers in Zone 3 for security purposes. This reduces the attack surface.
  • A “Secure by Default” approach. Locked down servers in this zone.
  • Communication via secure protocols between servers in Zone 1 and Zone 2.
Ports required between Zones 1-2
TCP 80 HTTP Default Web application port. This port may be different as it can be changed during Microsoft Dynamics CRM Server Setup.
TCP 8080 HTTP SharePoint Administration
TCP 3389 RDP Remote Desktop Support
Ports required between Zone 2 and Zone 0
TCP 25 SMTP Current dedicated SMTP server is located outside of the tiered environment and Zone 2 services require access for Business Intelligence requirements.

Zone 2 – “Proxy”
  • Servers in this zone have domain membership with Active Directory in Zone 3.
  • Relays or “proxies” authentication requests between Zone 1 and Zone 3.
  • Two-tier services or applications make use of firewall or gateway in Zone 1 to publish secure application access in lieu of a dedicated Zone 1 or edge server.
  • CRM 2011 Front-end Application Server roles reside in this zone
  • SQL Reporting Servers for CRM 2011 reside in this zone.  
Though included in Zone 2, these servers could be deployed in either Zone 2 or 3 based on your security requirements because they are not accessed by remote end users:
  • CRM 2011 Back-end Asynchronous and Sandbox Server roles reside in this zone.
  • CRM 2011 Deployment Service role server resides in this zone.
  • CRM 2011 E-mail Router servers reside in this zone.
Services available in Zone 2
Server Role Description Server Group
Discovery Web Service Finds the organization that a user belongs to in a multi-tenant deployment. Front-end Server
Organization Web Service Supports running applications that use the methods described in the Microsoft Dynamics CRM Software Development Kit. Front-end Server
Web application Server Runs the Web application Server that is used to connect users to Microsoft Dynamics CRM data. The Web application Server role requires the Organization Web Service role. Front-end Server
Help Server Makes Microsoft Dynamics CRM Help available to users. Front-end Server
Asynchronous Service Processes queued asynchronous events, such as workflows, bulk email, or data import. Back-end Server
Deployment Web Service Manages the deployment by using the methods described in the Microsoft Dynamics CRM 2011 Deployment Software Development Kit. Deployment Administration Server
Ports required from  Zone 2 to Zone 3
TCP 135 MSRPC RPC endpoint resolution.
TCP 139 NETBIOS-SSN NETBIOS session service.
TCP 445 Microsoft-DS Active Directory service required for Active Directory access and authentication.
TCP 1433 ms-sql-s SQL Server sockets service. This port is required for access to SQL Server. This number may be different if you have configured your default instance of SQL Server to use a different port number or you are using a named instance.
TCP 3389 RDP Remote Desktop Support
UDP 123 NTP Network Time Protocol.
UDP 137 NETBIOS-NS NETBIOS name service.
UDP 138 NETBIOS-dgm NETBIOS datagram service.
UDP 1025 Blackjack DCOM, used as an RPC listener.
Zone 3 – “Data center”
  • Most secure area of the network.
  • Data repository servers reside in this zone.
  • No direct access to these servers. Access is via proxies in Zone 2 or published services via firewall or gateway in Zone 1.
  • CRM 2011 databases reside in this zone.

Design Constraints
  • This design does not address Domain Level Trust requirements between external user domain and Zone 3 domain.
  • SMTP access from Zone 3 was not included in this design. If DBA staff requires  SMTP communications from the Data Tier then SMTP would need to be exposed for this feature to function.
  • Microsoft CRM 2011 allows for application users to export data into Excel and later update the data exported by a connection string. This feature would not work in this design because no direct Zone 0 to Zone 3 access has been made available. If this feature is a business requirement then port 1433 would need to be made available in Zone 3. Microsoft had documented this level of access and until the Business Unit  identifies the requirement that feature is not support in this environment. (See below Diagram)

No comments:

Post a Comment