Secure Dynamics CRM With a Web Application Proxy
If you’re not ready for the cloud yet (and you should be getting there!), a good stepping stone that allows you to access your on-premise Dynamics CRM from anywhere you have internet is to make your Dynamics CRM 2016 an “Internet Facing Deployment” (IFD). A Dynamics CRM IFD is secure, but you can step up IFD security a few notches with a web application proxy.
The current model is to have something called a “domain joined front end server” in your DMZ Ref:

However, having a domain joined server in your DMZ is something to avoid because it means opening multiple additional ports. Your DMZ will be less effective as a vulnerability in any of these end points could lead to a security problem. Plus, anyone who compromises the domain joined server in your DMZ is now on a trusted domain joined server.
Perhaps you were clever and used a reverse proxy like the Threat Management Gateway (TMG). As you might know, Threat Management Gateway end of support is 2020.
What to do? Use a Web Application Proxy
It’s not a great idea to use a domain joined front end server, and TMG end of support is coming quickly. The solution? Along comes Windows Server 2012 R2 with a built in Web Application Proxy (WAP) server that doubles as a AD FS Proxy. Problem solved!
Now to access your on-premise Dynamics CRM securely, you will only need to open port 443 in your DMZ, and port 443 from your DMZ to your internal network. You will have a WAP server acting as a reverse proxy and a ADFS proxy; plus you will only need one port open to your internal network from your DMZ.
A Great MS Blog on configuring WAP is located here.
Thanks for reading! And good luck. Let me know if you have any questions.
Webinar - End-to-End Resource Scheduling in Dynamics 365 Project Operations
This webinar provides an end-to-end overview of how you can schedule resources in D365 Project Operations. This overview will be useful to project managers, schedulers, and sys admins.
October 11
9:00 am – 9:30 am PST