locked
ADFS 3.0 and HTTPS both using port 443 on external firewall? RRS feed

  • Question

  • I have set up ADFS 3.0 which uses port 443 on a new Windows 2012 R2 server for Dynamics CRM 2016. I also have a separate Exchange server in the same network which has the HTTPS service going to port 443. 

    Internally it works fine but is it possible to have two different services HTTPS and ADFS mapped to the same port using different IP addresses? 

    The common workaround is to change the port for ADFS 3.0

    http://inogic.com/blog/2014/07/how-to-change-the-port-of-adfs-3-0-windows-server-2012-r2-to-444/

    However it says Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device in ADFS, hence you will not be able to develop Mobile device app for CRM.

    I wish to avoid this as using CRM on phones/tablets is a requirement. Any ideas/workarounds?

    Thanks

    Friday, April 15, 2016 6:38 AM

Answers

  • The workaround for my scenario was to configure VPN on the smartphones. The WAP server was removed from the network.

    • Edited by Amanti Thursday, April 28, 2016 3:21 AM
    • Marked as answer by Amanti Thursday, April 28, 2016 3:21 AM
    Thursday, April 28, 2016 3:20 AM

All replies

  • Hiya,

    Yes - as long as it's bound to different IP's it shouldn't be a problem.

    Friday, April 15, 2016 7:58 AM
  • Thanks for your reply, what are some ways of bounding port 443 to different IPs for external access? This is where I am stuck.

    Friday, April 15, 2016 12:32 PM
  • The WAP server is using SNI (so you can have multiple site publication on the same IP/PORT as long as they use different hostname). So you can do the following:

    1. Deploy a WAP server
    2. Make sure your NAT is redirecting all external names to your WAP server (so let's say OWA is owa.contoso.com, CRM is crm.contoso.com and ADFS is sts.contoso.com, make sure your external DNS resolve all this to your public IP address which is NATed to your WAP server).
    3. Publish OWA and CRM as passthrough auth on your WAP (or pre-auth if you want but that requires some other config...)

    No need to change port in that way.

    By the way, I would not change the port 443 for SSL in general. It is quite frequent that public access point or guest wifi let only port TCP80 and TCP443 going through... Having something custom is a risk there.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 15, 2016 1:26 PM
  • Thanks for this Pierre.

    I ended up deploying a WAP server. I set up CRM, ADFS and Outlook Web Access as passthrough and this works externally with Apple and Windows devices. But it won't work for ActiveSync on Android smartphones as it does not support SNI. 

    The workaround for this is to create a failback certificate and bind this

    https://blogs.technet.microsoft.com/applicationproxyblog/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2/

    However this only works if you are using a single wildcard or SAN certificate for all your applications and they are on the same domain e.g. owa.contoso.com, crm.constoso.com and sts1.contoso.com 

    In my situation, we will require other applications than CRM to be able to use SSO. If you have ADFS and CRM on the same domain, it will cause a conflict

    http://crmtipoftheday.com/2015/12/23/avoid-using-the-same-domain-for-adfs-and-crm/

    so we have owa.contoso.com for Outlook Web Access  and sts1.contoso.com for ADFS. Then we have orgname.crm16.contoso.com for CRM.

    In an ideal scenario, we'd have all users on Apple or Windows smartphones but Android is pretty popular :) Any ideas or suggestions?

    Thanks

     

    

    Wednesday, April 20, 2016 11:46 PM
  • The workaround for my scenario was to configure VPN on the smartphones. The WAP server was removed from the network.

    • Edited by Amanti Thursday, April 28, 2016 3:21 AM
    • Marked as answer by Amanti Thursday, April 28, 2016 3:21 AM
    Thursday, April 28, 2016 3:20 AM