SBS User Groups
OnLine Tools
Satisfied Customers

Publishing CRM SBE via ISA 2004
by Andy Goodman [SBS-MVP]

So you followed my instructions and you have a functional CRMsbe installation, if not see the troubleshooting article before proceeding. So now you want to enable SSL so the transactions are more secure. Well you've come to the right place :>), but let me emphasize these instructions are for CRM 3.0 Small Business Edition with ISA 2004 only, and may only work if you did the integrated install (the first choice when installing). They have not been tested if you did the manual install (the second choice) as outlined on the Magical M&M's Site or you don't have ISA 2004.

I would like to send out a very big Thank You to Marcelo Sauaf of Brazil who finally figured out how to get this to work without
consistently be prompted for credentials.

Here are the topics in this article if you want to jump to a specific area
    Add a Web Listener
    Publish the CRM web site to the Internet
    Access the CRM web site from the Internet

Lets get the CRM 3.0 SBE website published.

First open up the ISA Console.

We need to add a Web Listener for our new SSL port.
Click on Firewall Policy
Click on the Toolbox
Click on Network Objects
Right click on Web Listeners
Select New Web Listener

Give it a distinctive name

Set it to listen to the External network

Uncheck Enable HTTP
Check Enable SSL
set the port to 446 (or whatever port you decide to use)

Now we need to select the correct certificate to use.
You want the one you created when you ran the CEICW  (connect to the internet wizard) when you setup SBS
Sorry for the clutter in the screenshot, yours will be much clearer
Select it and click OK

Once all the info is entered, click Next

We get the obligatory summary screen, if it looks right, click Finish

Now remember this is ISA 2004 Finish doesn't really mean finish
We still need to click Apply.

The wizard will restart the firewall service and show you it's progress

When it finishes, it will tell you the changes were applied.

Next we need to actually publish the CRM web site.

Still in the ISA console, click the Tasks tab in the task pane on the right.
Click on Publish a Secure Web Server

Give your publishing rule a catchy name

We want to bridge to IIS not tunnel

Your new rule needs to Allow access

We only want to secure the traffic from the Internet, we do not need to
secure the internal traffic. If you try to secure all the traffic you will get
prompted for credentials every time you click anything in CRM.

We need to use our internal web server address here.
Mine is yours is probably if you took the
defaults when you did the SBS installation.

Now enter your public name, make sure you have an "A" Record listed for
this with your ISP.

Next we tell it to use the Web Listener we created earlier

And the default of All Users is probably ok


We are presented with the summary screen, if it looks ok, click Finish

But wait we are not finished yet

Click Apply, you could skip this step and go on until you are finished,
but just like saving often in word, it is just a good idea to apply as you go.

Right click on our new rule and select Properties, or just double click on it

Click on the To tab
Make sure the Forward the original host header is checked.
Set the Proxy request option to Requests appear to come from the original client.

Next click the Traffic tab
Check the Require 128-bit encryption for HTTPS traffic check box

Now click the Bridging tab
Check the Redirect requests to HTTP port check box and enter 5555
or whatever port you installed CRM onto.
Make sure to uncheck the Redirect requests to SSL port check box

Now we need to click that Apply button again to make our final changes stick

And hopefully we get the all ok from the wizard.


One more little thing I will remind you of, because it tripped me up for over an hour on the second site I did.
I seem to have a memory like a rock lately.
If you have a firewall/router in front of your SBS box Remember to OPEN PORT 446

Now all you have to do is goto https://YourPublicAddress:446 from a machine outside the lan
When you get the security warning you need to INSTALL the Certificate


If you are using IE 7 you will be prompted to close the window, say yes

And if all went well, you should be in the CRM window just like you were on the lan.

This is the process that worked for me to allow outside access to the CRM Web Site on SBS 2003 with ISA 2004
You results may vary depending on your configuration. I can only tell you what worked for me and wish you luck,
hopefully Microsoft will publish a supported process soon, but I have not been able to get anyone to confirm that.


          *All trademarks and copyrights are property of their respective owners.
          **Author and/or Publisher assumes no responsibility, use these suggestions and guidelines at your own risk


Home Up