The architecture for hosting Microsoft Dynamics CRM 2011 is based on a three-tiered, four-zone approach, where the tiers define various levels of scale, and the zones illustrate the use of network segmentation to reduce the attack surface and secure data access. This design is based upon published Microsoft TechNet documentation related to “Best Practices” for secure MS Dynamics CRM 2011 Deployment.
The zones referenced in Microsoft Dynamics CRM 2011 are as follows:
Zone 0 – “Boundary”
- The area of the network that is closest to the End User or Intranet.
- For Microsoft Dynamics CRM 2011, none of its servers resides in this zone.
Protocol
|
Port
|
Description
|
Explanation
|
TCP | 80 | HTTP | Default Web application port. |
TCP | 8080 | HTTP | SharePoint Administration |
TCP | 3389 | RDP | Remote Desktop Support |
UDP | 53 | DNS | DNS messages are sent from DNS clients to DNS servers or between DNS servers. Messages are sent over UDP and DNS servers bind to UDP port 53 |
- This zone contains those servers and services that provide first-level authentication, application proxy services, and load balancing across Zone 1 servers and services.
- No domain membership with the Zone 3 Active Directory directory service and no direct connection to servers in Zone 3 for security purposes. This reduces the attack surface.
- A “Secure by Default” approach. Locked down servers in this zone.
- Communication via secure protocols between servers in Zone 1 and Zone 2.
Protocol
|
Port
|
Description
|
Explanation
|
TCP | 80 | HTTP | Default Web application port. This port may be different as it can be changed during Microsoft Dynamics CRM Server Setup. |
TCP | 8080 | HTTP | SharePoint Administration |
TCP | 3389 | RDP | Remote Desktop Support |
Protocol
|
Port
|
Description
|
Explanation
|
TCP | 25 | SMTP | Current dedicated SMTP server is located outside of the tiered environment and Zone 2 services require access for Business Intelligence requirements. |
Zone 2 – “Proxy”
- Servers in this zone have domain membership with Active Directory in Zone 3.
- Relays or “proxies” authentication requests between Zone 1 and Zone 3.
- Two-tier services or applications make use of firewall or gateway in Zone 1 to publish secure application access in lieu of a dedicated Zone 1 or edge server.
- CRM 2011 Front-end Application Server roles reside in this zone
- SQL Reporting Servers for CRM 2011 reside in this zone.
- CRM 2011 Back-end Asynchronous and Sandbox Server roles reside in this zone.
- CRM 2011 Deployment Service role server resides in this zone.
- CRM 2011 E-mail Router servers reside in this zone.
Server Role | Description | Server Group |
Discovery Web Service | Finds the organization that a user belongs to in a multi-tenant deployment. | Front-end Server |
Organization Web Service | Supports running applications that use the methods described in the Microsoft Dynamics CRM Software Development Kit. | Front-end Server |
Web application Server | Runs the Web application Server that is used to connect users to Microsoft Dynamics CRM data. The Web application Server role requires the Organization Web Service role. | Front-end Server |
Help Server | Makes Microsoft Dynamics CRM Help available to users. | Front-end Server |
Asynchronous Service | Processes queued asynchronous events, such as workflows, bulk email, or data import. | Back-end Server |
Deployment Web Service | Manages the deployment by using the methods described in the Microsoft Dynamics CRM 2011 Deployment Software Development Kit. | Deployment Administration Server |
Protocol
|
Port
|
Description
|
Explanation
|
TCP | 135 | MSRPC | RPC endpoint resolution. |
TCP | 139 | NETBIOS-SSN | NETBIOS session service. |
TCP | 445 | Microsoft-DS | Active Directory service required for Active Directory access and authentication. |
TCP | 1433 | ms-sql-s | SQL Server sockets service. This port is required for access to SQL Server. This number may be different if you have configured your default instance of SQL Server to use a different port number or you are using a named instance. |
TCP | 3389 | RDP | Remote Desktop Support |
UDP | 123 | NTP | Network Time Protocol. |
UDP | 137 | NETBIOS-NS | NETBIOS name service. |
UDP | 138 | NETBIOS-dgm | NETBIOS datagram service. |
UDP | 1025 | Blackjack | DCOM, used as an RPC listener. |
- Most secure area of the network.
- Data repository servers reside in this zone.
- No direct access to these servers. Access is via proxies in Zone 2 or published services via firewall or gateway in Zone 1.
- CRM 2011 databases reside in this zone.
Design Constraints
- This design does not address Domain Level Trust requirements between external user domain and Zone 3 domain.
- SMTP access from Zone 3 was not included in this design. If DBA staff requires SMTP communications from the Data Tier then SMTP would need to be exposed for this feature to function.
- Microsoft CRM 2011 allows for application users to export data into Excel and later update the data exported by a connection string. This feature would not work in this design because no direct Zone 0 to Zone 3 access has been made available. If this feature is a business requirement then port 1433 would need to be made available in Zone 3. Microsoft had documented this level of access and until the Business Unit identifies the requirement that feature is not support in this environment. (See below Diagram)
No comments:
Post a Comment