Secure Dynamics CRM With a Web Application Proxy 

If you’re not ready for the cloud yet (and you should be getting there!), a good stepping stone that allows you to access your on-premise Dynamics CRM from anywhere you have internet is to make your Dynamics CRM 2016 an “Internet Facing Deployment” (IFD). A Dynamics CRM IFD is secure, but you can step up IFD security a few notches with a web application proxy.

The current model is to have something called a “domain joined front end server” in your DMZ Ref:

However, having a domain joined server in your DMZ is something to avoid because it means opening multiple additional ports.  Your DMZ will be less effective as a vulnerability in any of these end points could lead to a security problem.  Plus, anyone who compromises the domain joined server in your DMZ is now on a trusted domain joined server.

Perhaps you were clever and used a reverse proxy like the Threat Management Gateway (TMG).  As you might know, Threat Management Gateway end of support is 2020.

What to do? Use a Web Application Proxy

It’s not a great idea to use a domain joined front end server, and TMG end of support is coming quickly.  The solution? Along comes Windows Server 2012 R2 with a built in Web Application Proxy (WAP) server that doubles as a AD FS Proxy. Problem solved!

Now to access your on-premise Dynamics CRM securely, you will only need to open port 443 in your DMZ, and port 443 from your DMZ to your internal network.  You will have a WAP server acting as a reverse proxy and a ADFS proxy; plus you will only need one port open to your internal network from your DMZ.

A Great MS Blog on configuring WAP is located here.

Thanks for reading! And good luck. Let me know if you have any questions.