MS dynamics CRM 2011安装部署和使用之七：网站证书DNS防火墙设置

Microsoft Dynamics CRM 4.0操作和维护指南中文 4.0.0 修订版本文档中的信息（包括引用的 URL 和其他 Internet ）如有更改，恕不另行通知。

除非另行说明，否则本文示例中描述的公司、组织、产品、域名、电子地址、徽标、人物、地点和事件纯属虚构。

无意与任何真实的公司、组织、产品、域名、电子地址、徽标、人物、地点或事件发生任何关联，也不应有此方面的推断。

用户有责任遵守一切适用的法。

未经 Microsoft Corporation 书面明确许可，不得出于任何目的、以任何形式或通过任何手段（电子、机械、影印、录制或其他手段）复制本文档的任何容、将其存入或引入检索系统或者进行传播；但此规定并不限制所赋予的各项权利。

Microsoft 可能拥有涉及本文档主题的专利、专利申请、商标、或其他知识产权。

除非Microsoft 提供的书面许可协议中有明文规定，否则提供本文档并不表示赋予您使用这些专利、商标、或其他知识产权的许可。

© 2007 Microsoft Corporation。

保留所有权利。

您复制本文档的权利受法/著作权法和软件许可协议条款的限制。

对于软件许可证，您可以制作合理数量的副本或打印版本供自己使用。

未经授权擅自制作副本、改编、汇编或进行衍生性工作用于商业发行都是法律禁止的行为，违者将受到惩罚。

Microsoft、MS-DOS、Windows、Windows Server、Windows Vista、Microsoft Dynamics、Active Directory、BizTalk 和 Outlook 是 Microsoft 旗下各公司的商标。

所有其他商标均归其各自所有者所有。

目录1概述欢迎使用《Microsoft Dynamics CRM 4.0 操作和维护指南》，本指南是《Microsoft Dynamics CRM 4.0 实施指南》综合文档集的一部分。

Connectivity and Firewall Port Requirements for Microsoft Dynamics CRM 2011White PaperPublished : October 2012 Updated : September 2013FeedbackTo send comments or suggestions about this document, please click the following link and type your feedback in the message body:/fwlink/?LinkID=267480Important: The subject-line information is used to route your feedback. If you remove or modify the subject line, we may be unable to process your feedback.2Table of ContentsOverview (4)On Premise with Integrated Windows Authentication (4)On Premise with Claims-Based Authentication (5)Default CRM Connectivity Requirements (6)Port Recommendations (8)Network ports for the Microsoft Dynamics CRM Web application (8)Network ports for the Asynchronous Service, Web Application Server, and Sandbox Processing Service server roles (9)Network ports that are used by the SQL Server that runs the Microsoft Dynamics CRM Reporting Extensions server roles (9)Connectivity Requirements for Windows Services (9)Connectivity Requirements for Integrated Windows Authentication (10)Mail Server Connectivity Requirements (11)Appendix A: Resources (12)3OverviewMany data centers include firewalls between the end users and the servers and other integrated systems that support an implementation of Microsoft Dynamics CRM 2011. This document is designed to provide guidance on the connectivity requirements between Microsoft Dynamics CRM 2011 and other systems to assist readers with proper firewall configuration in customer environments.On-Premises with Integrated Windows AuthenticationAn overview of an on-premises implementation that uses Integrated Windows Authentication (IWA) is shown in the following diagram.In this scenario the user must have a certain level of connectivity to the CRM Server(s), the Active Directory Server(s) and the SQL Server for SQL Filtered View access (if Export to Excel functionality is required). The remainder of this document focuses primarily on this scenario and details the required level of connectivity between these various components as well as further options for integration, Citrix implication, and so on.4On-Premises with Claims-Based AuthenticationAn overview of an on-premises implementation that uses claims-based authentication is shown in the following diagram using Active Directory Federation Service (ADFS) as the Security Token Service (STS).With claims-based authentication, the Microsoft Dynamics CRM site is accessed anonymously and is then redirected to ADFS. Users enter their credentials, which are validated by ADFS by contacting Active Directory Directory Services (AD-DS). Finally, AFDS issues a SAML token containing the necessary claims for accessing Microsoft Dynamics CRM.5Default CRM Connectivity RequirementsAn overview of the default connectivity requirements for an on-premises deployment ofIn addition all Servers require the following:∙ DNS name resolution on UDP/TCP: 53∙ NetBIOS name resolution on TCP: 139, UDP: 137/138∙ NTP time synchronisation: 123 –this is a requirement for Kerberos Authentication∙ DCOM and RPC: TCP 135, UDP 1025Note. Arrow direction depicts source and target of initiating request rather than direction of data flowImportant: Because this diagram is focused on Microsoft Dynamics CRM connectivity requirements, full details about the specific port requirements for Microsoft Exchange Server and the Microsoft Windows Active Directory service are not shown. Additional information and links to related articles about these technologies and their specific requirements are provided in the following sections of this document.6The default connectivity requirements for components of an on-premises deployment of Microsoft Dynamics CRM 2011 are shown in the following table.Important: In each case, the port numbers can be configured to run under alternative (non-default) values, so environments will vary.7Port RecommendationsNetwork ports for the Microsoft Dynamics CRM web application The following table lists the ports used for a server that is running a Full Server installation of Microsoft Dynamics CRM. Moreover, except for the Microsoft SQL Server role, and the Microsoft Dynamics CRM Connector for SQL Server Reporting Services server role, all server roles are installed on the same computer.Important: Depending on the domain trust configuration, additional network ports may be required for Microsoft Dynamics CRM to work correctly. For more detail, see Knowledge Base article ID 179442, How to configure a firewall for domains and trusts.8Network ports for the Asynchronous Service, Web Application Server, and Sandbox Processing Service server rolesThe following table lists the additional ports that are used for a deployment where the Sandbox Processing Service is running on a separate computer.Network ports that are used by the SQL Server that runs the Microsoft Dynamics CRM Reporting Extensions server rolesThe following table lists the ports that are used for a computer that is running SQL Server with only SQL Server and the Microsoft Dynamics CRM Reporting Extensions server roles installed.Note: The NETBIOS ports (TCP 139, UDP 137 and 138) are an alternative to port 445 which is used by SQL named pipes. These ports are required only during setup to determine the SQL port for named instances of SQL; the NETBIOS ports are not required during normal operation. Connectivity Requirements for Windows ServicesMicrosoft client, server, and server-based programs use a variety of network ports and protocols to communicate with client systems and with other server systems over the network. While beyond the scope of this article, details of the essential network ports, protocols and services that are used by Microsoft client and server operating systems, server-based programs, and their subcomponents in the Microsoft Windows server system are available on the Microsoft Support site in Article ID 832017, Service overview and network port requirements for Windows.9Connectivity Requirements for Integrated Windows AuthenticationThe key service and port requirements for Integrated Windows Authentication (IWA) are shown in the following table:However, in larger deployments, firewalls can present two challenges when deploying a distributed Active Directory (AD) directory service architecture:▪Initially promoting a server to a domain controller▪Replicating traffic between domain controllersActive Directory relies on remote procedure call (RPC) for replication between domain controllers. Note that while Simple Mail Transfer Protocol [SMTP] can be used in certain situations—schema, configuration, and global catalog replication—but not domain naming context, which limits its usefulness.Configuring replication in environments in which a directory forest is distributed among internal, perimeter networks and external (that is, Internet-facing) networks can be challenging. In these scenarios, there are three possible approaches:▪Open the firewall wide to permit the native dynamic behaviour of RPC▪Limit the use of TCP ports by RPC and open the firewall just a little bitNote: For additional detail about this option, see the following resources:∙Article ID 929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008∙Article ID 154596 - How to configure RPC dynamic port allocation to work with firewalls∙How to limit dynamic RPC ports used by DPM and protected servers▪Encapsulate domain controller (DC-to-DC) traffic inside IP Security Protocol (IPSec) and open the firewall for thatEach of these approaches has its pros and cons; in general, there are more cons than pros associated with the first option listed above and more pros than cons associated with the third option listed above.Note: For more information about each option, including details of the configuration and port requirements for each, see the TechNet article Active Directory Replication Over Firewalls.10Mail Server Connectivity RequirementsMicrosoft Dynamics CRM 2011 provides for integration with Exchange and other SMTP/POP3 servers. Mail system integration is typically achieved either through client-side integration via Outlook or server-side integration via Exchange or a third-party POP3/SMTP server.Note: This document focuses on server-side integration via Exchange, but the same principles would apply to server-side integration via other POP3/SMTP servers.Administrators can specify to use either client-side or server-side integration, which can be configured at a user level within the User properties in Microsoft Dynamics CRM. After the administrator specifies the level at which integration will occur, users on the client computers must agree to have email sent on their behalf by Microsoft Dynamics CRM by using their own user options configuration.While client-side integration does not require any additional server components, it works only with Microsoft Dynamics CRM for Outlook. The Microsoft Dynamics CRM for Outlook plug-in is then used to send email via Outlook and the users’ preconfigured mail Server as well as to route inbound emails back into Microsoft Dynamics CRM. This integration happens on a regular polling basis (but is not immediate). Additional Microsoft Dynamics CRM-specific ports are not required for this integration; standard Exchange connectivity is used. Emails are routed into Microsoft Dynamics CRM via the CRM Web Services; hence access to Port 80 (443 for SSL) from Microsoft Dynamics CRM for Outlook is the only requirement.The CRM Exchange Router can be installed on an Exchange Server or on a dedicated CRM Exchange Router server. Using the CRM Exchange Router provides inbound and outbound email connectivity for both the Microsoft Dynamics CRM web client and Microsoft Dynamics CRM for Outlook. This CRM Exchange Router integrates with external mail systems via:▪POP3 (TCP:110) and SMTP (TCP:25)▪HTTP-DAV (TCP:80) for the CRM Sink account or direct to users mail account▪Exchange Web Service (EWS) (TCP:80)11Appendix A: ResourcesFor additional information related to connectivity and firewall port requirements in Microsoft Dynamics CRM 2011, see the following additional resources:▪Microsoft Dynamics CRM 2011 Implementation Guideo Downloado View Online▪Service overview and network port requirements for Windows▪Article ID 929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008▪Article ID 154596 - How to configure RPC dynamic port allocation to work with firewalls ▪How to limit dynamic RPC ports used by DPM and protected servers▪Active Directory Replication Over Firewalls▪Securing Your Application Server12。

MicrosoftDynamicsCRM操作与维护指导书Microsoft Dynamics CRM 4.0操作与保护指南中文 4.0.0 修订版本文档中的信息（包含引用的 URL 与其他 Internet 网站）如有更换，恕不另行通知。

除非另行说明，否则本文示例中描述的公司、组织、产品、域名、电子邮件地址、徽标、人物、地点与事件纯属虚构。

无意与任何真实的公司、组织、产品、域名、电子邮件地址、徽标、人物、地点或者事件发生任何关联，也不应有此方面的推断。

用户有责任遵守一切适用的版权法。

未经Microsoft Corporation 书面明确许可，不得出于任何目的、以任何形式或者通过任何手段（电子、机械、影印、录制或者其他手段）复制本文档的任何内容、将其存入或者引入检索系统或者者进行传播；但此规定并不限制版权所给予的各项权利。

Microsoft 可能拥有涉及本文档主题的专利、专利申请、商标、版权或者其他知识产权。

除非Microsoft 提供的书面许可协议中有明文规定，否则提供本文档并不表示给予您使用这些专利、商标、版权或者其他知识产权的许可。

© 2007 Microsoft Corporation。

保留所有权利。

您复制本文档的权利受版权法/著作权法与软件许可协议条款的限制。

关于软件许可证，您能够制作合理数量的副本或者打印版本供自己使用。

未经授权擅自制作副本、改编、汇编或者进行衍生性工作用于商业发行都是法律禁止的行为，违者将受到惩处。

Microsoft、MS-DOS、Windows、Windows Server、Windows Vista、Microsoft Dynamics、Active Directory、BizTalk 与 Outlook 是 Microsoft 旗下各公司的商标。

所有其他商标均归其各自所有者所有。

目录1概述欢迎使用《Microsoft Dynamics CRM 4.0 操作与保护指南》，本指南是《Microsoft Dynamics CRM 4.0 实施指南》综合文档集的一部分。

MS dynamics CRM 2011安装部署和使用之八：声明认证的内部访问(2012-04-17 00:18:22)转载▼分类：DynamicsCRM标签：crmdynamicscrm2011客户关系管理感知网it配置基于声明的认证--内部访问这里需要如下4个步骤：1）安装和配置AD FS 2.02）在CRM 2011上设定基于声明的认证3）在AD FS 2.0上设定基于声明的认证4）测试基于声明的认证方式本文参考了：/blog/index.php/server-tips/microsoft-crm-2011-how-to-configure -ifd-hosted-setup/安装和配置AD FS 2.0在内网的访问的流程如下，参见之前的介绍在这里AD FS 2.0负责向客户端发送token。

需要注意的是，AD FS 2.0默认必须安装到Default Web Site，CRM 2011安装在另外的站点，如下图。

如果不是这样，那你就要重新安装CRM 2011了。

下载AD FS 2.0 RTW/downloads/zh-cn/details.aspx?familyid=118c3588-9070-426a-b655-6c ec0a92c10b安装 AD FS 2.0在安装向导，选择“联合服务器”，确认安装完成。

完成时，勾选“启动AD FS 2.0管理单元”配置 AD FS 2.0AD FS 2.0管理界面，选择配置向导，选择“创建新的联合身份验证服务”，下一步选择”独立联合服务器“联合身份验证服务名称，输入。

说明：对于多个服务器的，可以设定为”"选择下一步直至完成安装验证AD FS 2.0工作打开IE, 输入联合元数据的URL地址https:///federationmetadata/2007-06/federationmetadata.xml说明：1）之外，其它URL部分是固定的2）对多个服务器的情况，这里的地址是对于弹出的警告，确认继续，此时IE会打开XML文件，表示AD FS 2.0工作正常在CRM 2011上配置基于声明的认证打开CRM部署管理器（开始--部署管理器）选择Dynamics CRM,右键，选择“属性”选择WEB地址，绑定类型，选择HTTPS，现在设置的地址是给内网访问的，我们设定一个域名“"，端口是刚才设定CRM的SSL端口，446.确认。

为Microsoft Dynamics CRM 2011配置Claims-Based认证Microsoft Dynamics CRM 4.0 使用Windows集成认证（Integrated Windows authentication）来对内部用户进行认证，使用窗体身份认证（Forms authentication）来对不使用VPN的外部用户提供internet访问。

Microsoft Dynamics CRM 2011 将窗体身份认证替换为了基于声明的认证（Claim-based authentication），它能够提供简化的的用户访问和单点登录（single sign-on）来访问Microsoft Dynamics CRM的数据。

本文将介绍如何为CRM 2011配置Claim-based认证以及IFD。

关于ADFS和Claim，可参考下述资料：A Guide to Claims–based Identity and Access Control(/fwlink/?LinkID=188049)Using Active Directory Federation Services 2.0 in Identity Solutions (/fwlink/?LinkID=209776)Windows Server 2008 R2 Active Directory Federation Services 2.0 (/fwlink/?LinkId=200771)AD FS 2.0 Step-by-Step and How To Guides(/fwlink/?LinkId=180357)Claims-Based Identity for Windows.pdf(/fwlink/?LinkID=209773)本文的内容将包括以下三部分：1. Claim-based认证的准备工作2. 配置Claim-based认证-内部访问3. 配置Claim-based认证-外部访问（IFD）1. Claim-based认证的准备工作在配置配置Claim-based认证之前，需要考虑以下问题：（1）CRM Server 2011和AD FS 2.0的条件如果你打算将组建装在同一个服务器上，那么你需要注意AD FS 2.0会安装在默认站点上。

DNS安全防护解决方案标题：DNS安全防护解决方案引言概述：DNS（Domain Name System）是互联网中最重要的基础设施之一，负责将域名转换为IP地址，是互联网通信的基础。

然而，DNS也存在安全风险，如DNS缓存投毒、DNS劫持等，给网络安全带来威胁。

为了保障DNS的安全，需要采取相应的防护措施。

一、加强DNS服务器安全性1.1 更新DNS服务器软件：定期更新DNS服务器软件，及时修补漏洞，提高系统的安全性。

1.2 配置防火墙：在DNS服务器上配置防火墙，限制对DNS服务的访问，防止未经授权的访问。

1.3 启用DNSSEC：启用DNSSEC（DNS Security Extensions），对DNS数据进行签名验证，确保数据的完整性和真实性。

二、加强网络设备安全性2.1 更新网络设备固件：定期更新网络设备的固件，修复安全漏洞，提高设备的安全性。

2.2 配置ACL（Access Control List）：在网络设备上配置ACL，限制对DNS 流量的访问，防止恶意攻击。

2.3 使用双因素认证：对网络设备进行双因素认证，提高设备的安全性，防止未经授权的访问。

三、监控DNS流量3.1 实时监控DNS流量：通过安全监控工具实时监控DNS流量，及时发现异常情况。

3.2 分析DNS查询日志：定期分析DNS查询日志，查找异常查询，及时处理安全事件。

3.3 部署DNS流量分析器：部署DNS流量分析器，对DNS流量进行深度分析，识别潜在的安全威胁。

四、加强域名注册商安全性4.1 选择可信赖的域名注册商：选择知名的域名注册商，避免因注册商安全漏洞导致域名被劫持。

4.2 启用域名锁定功能：启用域名注册商提供的域名锁定功能，防止域名被非法转移。

4.3 定期更改注册商密码：定期更改域名注册商的密码，确保账户的安全。

五、域名安全服务5.1 使用DDoS防护服务：部署DDoS防护服务，保护DNS服务器免受分布式拒绝服务攻击。