Beruflich Dokumente
Kultur Dokumente
Perimeter Network
Installation Guide
Microsoft Perimeter Network Installation Guide
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any written
license agreement from Microsoft, the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Navision, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, Axapta,
and Great Plains are either registered trademarks or trademarks of Microsoft Corporation or
Microsoft Business Solutions ApS in the United States and/or other countries. Microsoft Business
Solutions ApS is a subsidiary of Microsoft Corporation.
Table of Contents
Introduction.................................................................................................................................... 1
Supported Network Configurations ........................................................................................ 1
System Requirements .............................................................................................................. 2
Software Requirements............................................................................................................ 3
Hardware Requirements .......................................................................................................... 4
Planning Your Perimeter Network ............................................................................................... 5
Signing Up for Broadband Internet Service ........................................................................... 5
Registering an Internet-Facing Domain Name ....................................................................... 6
Purchasing Networking Hardware .......................................................................................... 6
Determining Your Server Certificate Needs ........................................................................... 6
Introduction
Welcome to the Microsoft Business Solutions Perimeter Network Installation Guide. This installation guide
will help you configure a perimeter network for your internal network of Microsoft® Business Solutions
applications, allowing them to be accessed from remote locations using an encrypted channel of
communication. Protecting your network from malicious attacks is an important step to keeping sensitive
information private and network resources online and available.
When you are finished with this installation guide, you will have configured and installed a perimeter network
that includes a firewall, Microsoft Internet Security and Acceleration (ISA) Server 2004 and at least one Web
server, and Microsoft Windows Server™ 2003 with Internet Information Services (IIS) 6.0.
This installation guide includes detailed instructions on how to obtain, connect, and configure the servers
and network hardware you will need in your perimeter and internal networks in order to run your Microsoft
Business Solutions applications over the Web.
When you are finished with the steps in this installation guide, you can then run the Microsoft Business
Solutions Perimeter Network Configuration Wizard, which installs and configures ISA Server 2004 as your
company firewall. In addition the wizard will validate that you have configured your perimeter network
correctly.
You can use the wizard to configure firewall and network access rules for the following Microsoft Business
Solutions applications:
● Microsoft CRM
● Microsoft CRM Mobile
● Microsoft Dynamics AX Enterprise Portal
● Microsoft Dynamics Business Portal
Depending on your configuration, you might not see all of these applications.
The wizard is designed to support additional Microsoft Business Solutions applications as they are released.
Note: The Microsoft Perimeter Network Configuration Wizard is not compatible with Microsoft Windows®
Small Business Server 2003 or Microsoft Small Business Server 2000.
Figure 1
Example Network Architecture of Existing Network Components and Microsoft Perimeter Network
System Requirements
To complete this implementation, you must purchase the number of servers required for your desired
network and install the required software before you can use the Perimeter Network Configuration Wizard.
The following section describes software and hardware requirements for the Microsoft Perimeter Network
Configuration Wizard.
The following list of Microsoft software and technologies are required to use the Microsoft Perimeter Network
Configuration Wizard:
● Microsoft Windows Server 2003. Windows Server 2003, Standard Edition or Enterprise Edition
provides a platform for the Web hosting and security software required for this implementation
wizard. In some cases, you will be able to use Microsoft Windows 2000 Server, but it is strongly
recommended you build your perimeter network using the newest Windows Server operating
system. In addition, this installation guide assumes you are using Windows Server 2003.
● Microsoft Internet Information Services (IIS) 6.0. IIS 6.0 is the Web server built into Windows
Server 2003. You can use IIS 6.0 to host Web sites and publish those sites to the Internet.
● Microsoft ISA Server 2004. Microsoft ISA Server 2004 is the Microsoft firewall and Web caching
software. For the perimeter network deployment, use ISA Server 2004. Although the procedures
included in this installation guide do not require ISA Server 2004, you must purchase it for the
Microsoft Perimeter Network Configuration Wizard. Previous versions of Microsoft ISA Server are
not compatible with the Microsoft Perimeter Network Configuration Wizard.
● Microsoft Business Solutions software. Microsoft Business Solutions are integrated business
applications for small and mid-size organizations, and divisions of large enterprises.
● Microsoft SQL Server 2000. SQL Server 2000 or later is the database used by Microsoft Business
Solutions applications to store important data and configuration information.
Software Requirements
Your new perimeter network includes an ISA server, and at least one IIS server is used to make your
Microsoft Business Solutions applications available to the Web. Depending on your specific application
requirements, you might need more than one IIS server. If you are already running an internal network of
Microsoft Business Solutions applications, this installation guide assumes that internal network is functional
and configured according to the requirements for Microsoft Business Solutions software. Table 1 describes
the requirements for both your internal and perimeter network.
Hardware Requirements
Table 2 describes the hardware requirements for the Microsoft software you must use for your perimeter
network deployment.
Figure 2
Planning Steps
Figure 3
Perimeter Network Deployment Steps
Important: Because the steps of this document refer to specific entries in the Network Information form,
finish recording your network configuration information before continuing to step 2.
You will need to record network configuration information for the servers listed in the Network Information
form. Some servers are optional with this configuration and are noted in the Network Information form.
Note: Windows Server 2003 might already be installed on your servers if you purchased servers with a
pre-installed operating system. If this is the case with your servers, you can skip rest of this section and go
to step 3.
If you are already running a server for a specific Microsoft Business Solutions application, that server should
already have Windows Server 2003 installed. In addition, for any Microsoft Business Solutions applications
servers you plan to deploy, but are not currently running, you must configure a server running Windows
Server 2003 for the application. Although these application servers will not have the specific Microsoft
Business Solutions application installed, the wizard must configure those servers as part of the network.
For example, if you plan to have an application server running Microsoft Enterprise Portal, you must have a
server for it running Windows Server 2003 and be connected to the network before you begin the Microsoft
Perimeter Network Configuration Wizard.
This guide does not provide specific procedures on how to install Windows Server 2003. However, detailed
instructions and information about installing Windows Server 2003 are available in the Windows Server
Deployment Guide.
If the drivers could not be installed automatically by the operating system, follow the installation instructions
provided with the NIC. If you do not have instructions, you can manually install drivers using the Add
Hardware Wizard in Control Panel.
To run the Add Hardware Wizard, click Start, point to Control Panel, and then click Add Hardware. Follow
the wizard’s directions to find and install drivers for your new NIC(s).
Figure 4
Microsoft Perimeter Network Wiring Example
Note: You might not have all of these servers in your network, depending on your specific deployment
scenario. Some internal network servers might already be configured and connected to network hubs,
depending on your existing network.
When you are finished connecting your network components, turn on all of your servers. The lights on your
hub will begin to blink as network activity starts. If you do not see any activity, make sure your hubs have
electricity and that network cable connections are properly connected at both ends of each cable.
After you have successfully added the My Network Places shortcut to all of your server desktops, you can
begin configuring you perimeter network servers. The following section describes how to configure ISA1.
Configuring ISA1
This section describes the configuration procedure for ISA1 that you must complete before you run the
Microsoft Perimeter Network Configuration Wizard. Configuring ISA1 requires you to perform the following
tasks:
● Change network connection names on ISA1
● Configure TCP/IP settings for each network connection in ISA1
Note: To perform the following procedures, you must be a member of the Account Operators group,
Domain Admins group, or the Enterprise Admins group in Active Directory®, or you must have been
delegated the appropriate authority.
2. In the Network Connections window, right-click the network connection that you intend to connect to
the Internet, click Rename, type Internet, and then press ENTER. .
Note: This network connection should be disconnected, and should remain disconnected
after you rename it to Internet.
Note: The network connection might display as connected; however, it might display with a question
mark. Please note that this is normal at this point in the implementation and that you will be configuring
these network connections in later sections of this installation guide.
Now that you have renamed all three network connections in ISA1, you need to configure TCP/IP settings. In
the following section you will configure TCP/IP settings for all three network connections in ISA1.
Configuring TCP/IP Settings for Each Network Connection in ISA1
After you have successfully renamed all of the ISA1 NICs, you must manually configure each NIC TCP/IP
setting. The following steps guide through configuring each ISA1 NIC. To configure the ISA1 TCP/IP
settings, you must complete the following tasks:
● Configure TCP/IP settings for the Internet network connection
● Configure TCP/IP settings for the Internal Network connection
● Configure TCP/IP settings for the Perimeter Network connection
Note: If you are unsure about a configuration setting for a specific network connection, refer to Figure 5
as a reference.
Start your network configuration process by configuring the TCP/IP connections for the Internet network
connection.
► Configure TCP/IP settings for the Internet network connection
1. On the desktop, right-click My Network Places, and then click Properties.
2. In the Network Connections window, right-click Internet, and then click Properties.
3. On the General tab, under This connection uses the following items, click Internet Protocol
(TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the following
IP address, and then do the following:
a. In the IP address box, type the Internet-facing static IP address you recorded on line 2 of the
Network Information form.
b. In the Subnet mask box, type the Internet-facing subnet mask you recorded on line 3 of the
Network Information form. After typing the IP address, the subnet mask is automatically
populated with a default address.
c. In the Default gateway box, type the Internet-facing default gateway that you recorded on line 4
of the Network Information form.
Note: When configuring TCP/IP setting for all network servers, the first three entries of the server IP
address should match the first three entries of the default gateway address. For example, if your server
IP address is 192.168.12.103, your default gateway address should also start with 192.168.12. If these
do not match, recheck your entries in the Network Information form, and make sure that you have the
correct addresses for each server.
4. Select Use the following DNS server addresses and do the following:
a. In the Preferred DNS server box, type the ISP preferred DNS address that you recorded on line
5 of the Network Information form.
b. In the Alternate DNS server box, type the ISP alternate DNS address that you recorded on line
6 of the Network Information form.
5. Click OK, and then click Close.
● In the IP address box, type the Internal network IP address you recorded on line 8 of the
Network Information form. After typing your IP address, the subnet mask is automatically
populated with a default address.
● In the Subnet mask box, clear the default entry, and then type the internal network’s subnet
mask that you recorded on line 21 of the Network Information form.
● Leave the Default gateway box blank.
5. Select Use the following DNS server addresses and do the following:
● In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line
20 of the Network Information form.
● In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23
of the Network Information form. This IP address is optional. If you do not have an alternate
DNS server in your network, leave this box blank.
6. Click OK, and then click Close. The icon for this network connection changes to show that the
network connection has been configured correctly.
3. On the General tab, under This connection uses the following items, click Internet Protocol
(TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the
following IP address, and then do the following:
a. In the IP address box, type the Perimeter network IP address that you recorded on line 8 of
the Network Information form. After typing the IP address, the subnet mask is automatically
populated with a default address.
b. In the Subnet mask box, clear the default entry, and then type the Perimeter network
subnet mask that you recorded on line 10 of the Network Information form.
c. Leave the Default gateway box blank.
5. Select Use the following DNS server addresses and do the following:
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of
the Network Information form.
b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of
the Network Information form. This IP address is optional. If you do not have an alternate DNS
server in your network, leave this box blank.
6. Click OK, and then click Close. The icon for this network connection changes to show that the
network connection has been configured correctly.
After you finish configuring TCP/IP settings for ISA1 configure the TCP/IP settings for all of your IIS servers
in your perimeter network by using the procedures in step 9.
Important: You must complete these steps for each of your perimeter network IIS servers.
Note: You should only have one Local Area Connection in each IIS server. If you are unsure
which network connection to configure or if you have more than one, unplug the cable that is
connected from the IIS server to the perimeter network hub. Configure the network connection
that appears as disconnected. Then, plug the network cable back into the IIS server NIC.
3. On the General tab, under This connection uses the following items, click Internet Protocol
(TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the
following IP address, and then do the following:
● In the IP address box, type the corresponding IIS server IP address that you recorded in the
Network Information form. After typing your IP address, your subnet mask is automatically
populated with a default address. For example, if you are configuring IIS1, type the IP
address you recorded on line 12 of the Network Information form. You must configure IIS1
for the Microsoft Perimeter Network Configuration Wizard; however, IIS2–IIS4 are optional.
● In the Subnet mask box, type the Perimeter network subnet mask address that you
recorded in line 10 of the Network Information form.
● In the Default gateway box, type the ISA1 Perimeter Network IP address that you recorded
in line 9 of the Network Information form.
Note: When configuring TCP/IP setting for all network servers, the first three entries of the
server IP address should match the first three entries of the default gateway address. For
example, if your server IP address is 192.168.12.103, your default gateway address should also
start with 192.168.12. If these do not match, recheck your entries in the network information
form, and make that sure you have the correct addresses for each server.
5. Select Use the following DNS server addresses and do the following:
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line 20 of
the Network Information form.
b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of
the Network Information form. If you do not have an alternate DNS server in your network, leave
this box blank.
6. Click OK, and then click Close. The icon for this network connection changes to show that the
network connection has been configured correctly.
Note: You should only have one local area connection in each application server, but if you are
unsure which network connection to configure, unplug the cable connected to the NIC in the application
server. Configure the network connections that appear as disconnected. Then, plug the network cable
back into the application server NIC.
4. On the General tab, under This connection uses the following items, click Internet Protocol
(TCP/IP), and then click Properties.
5. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the
following IP address, and then do the following:
a. In the IP address box, type the IP address that you recorded in the Network Information form for
the application server you want to configure. For example, if you are configuring the CRM
server, type the address you recorded on line 27 of the Network Information form. After typing
your IP address, the subnet mask is automatically populated with a default address.
b. In the Subnet mask box, clear the default address and then type the Internal Network subnet
mask that you recorded in line 21 of the Network Information form.
c. In the Default gateway box, type the Internal Network IP address that you recorded in line 8 of
the Network Information form.
Note: When configuring TCP/IP settings for all network servers, the first three entries of the
server IP address should match the first three entries of the default gateway address. For example,
if your server IP address is 192.168.12.103, your default gateway address should also start with
192.168.12. If these do not match, recheck your entries in the Network Information form, and make
sure you have the correct addresses for each server.
6. Select Use the following DNS server addresses and do the following:
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of
the Network Information form.
b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of
the Network Information form. If you do not have an alternate DNS server in your network, leave
this box blank.
7. Click OK, and then click Close.
After you have configured TCP/IP settings for every application server in your internal network, you can
validate your network configurations. Figure 5 provides an example for this validation. The TCP/IP settings
shown in the diagram are an example based on the information that is recorded in the Network Information
form. Use the information provided in the diagram as a reference to help make sure that your network
components are configured correctly.
When you are satisfied that the configuration you created is correct, go to step 11. If you think that you have
made an error, recheck your steps to make sure your network is configured correctly.
Figure 5
TCP/IP Settings for Perimeter Network
Important: If you want to create a test certificate, perform the procedures in this section of the document
and move onto the “Create and Install a Server Certificate for Test Network” section of this document.
► Create a certificate request using the Web Server Certificate Wizard in IIS 6.0
1. Log on to IIS1.
2. On the Start menu, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
3. Expand the local computer, expand the Web sites folder, and then click Default Web site.
4. On the Action menu, click Properties, and then select the Directory Security tab.
5. Click Server Certificate to open the Web Server Certificate Wizard.
6. On the Welcome to the Web Server Certificate Wizard page, click Next.
7. Select Create a new certificate and then click Next.
8. Select Prepare the request now, but send it later and then click Next.
9. In the Name box, type a unique name for the new certificate, select a bit length from the Bit length
list, and then click Next.
If you plan to keep the certificate for more than a year, 2,048 bits is recommended for the additional
security. Higher bit lengths will cause a slightly longer SSL establishment delay for each client’s
initial request to the server that has SSL enabled.
10. In the Organization box, type the legal name of the company for which this certificate is requested,
and in the Organization unit box, enter the organizational unit to which you attach the certificate.
11. Click Next.
12. In the Common name box, type the Fully Qualified Domain Name (FQDN) users on the Internet will
use to reach your Web site.
After you install your production certificate into IIS1, go to the “Install Server Certificate into ISA1 and
Remaining IIS Servers” section of this installation guide. Do not create a test certificate after you have
completed the procedures above.
Creating and Installing a Server Certificate for Test Network
Alternatively, if you are deploying a test environment and do not want to purchase a third-party certificate,
you can create a temporary test certificate for your network. Test certificates should only be used in a test
environment and are not intended for production networks that communicate over the Internet. Because
SelfSSL does not meet the security requirements of a production system, use it only for testing purposes.
In place of using SelfSSL to create server certificate, you can also obtain a test certificate from a third-party
CA. Obtaining a test certificate from a third-party Certification Authority involves the same request and
installation and configuration steps described earlier in the “Configure Certificate Settings for ISA1 and IIS
Servers” section of this document. The difference is that test certificates from third-party CAs have finite
usage periods associated with them. Specific usage times depend on the specific CA.
Important: If you have already deployed a production-ready certificate, do not attempt to create a test
certificate for the same server. Move to the “Install Server Certificate into ISA1 and Remaining IIS Servers”
section of this document.
SelfSSL is a downloadable Microsoft tool that you can use to create a server certificate and install it on a
server in one step. SelfSSL is a command-line tool and requires you to use a command prompt to complete
this procedure.
► Download and use SelfSSL.exe to create and install a test server certificate
1. Log on to IIS1.
2. Download the IIS 6.0 Resource Kit Tools, located at the Microsoft Download Center and run the file
to install it on IIS1. You can install these tools only on a computer running Windows XP or Windows
Server 2003. The included SelfSSL utility can be used with IIS 5.0 and Windows 2000 Server, as
well as with IIS 6.0. SelfSSL will be installed in the Program Files\IIS Resources\SelfSSL directory.
3. On the Start menu, point to All Programs, point to Accessories, and then click Command
Prompt.
4. At the command prompt, type cd\ and press ENTER.
5. Type cd\program files\IIS Resources\SelfSSL, and then press ENTER.
6. Run SelfSSL by typing the following command line. The parameters of this command line are case-
sensitive. A full description of SelfSSL parameters is available in Appendix B.
Example: To set up a certificate for the Internet-facing domain name contoso.com that is valid for a
period of 60 days, you would type the following line at the command prompt:
For the Internet-facing domain name, it is not necessary to add “www” to the beginning of the host
name.
7. When asked Do you want to replace the SSL settings for site 1?, type Y, and then press ENTER.
After running SelfSSL, the test certificate is automatically created and installed into the Default Web
site on IIS1.
8. Close the command prompt and return to the desktop.
Now that the certificate has been installed in IIS1, you need to export the certificate to a .pfx file, and then
import that file into ISA1 and, if applicable, IIS2–IIS4.
Installing Server Certificates into ISA1 and Remaining IIS Servers
After installing the certificate file on IIS1, export the certificate to a .pfx file. You will use the .pfx file to install
the certificate into ISA1, and then into any remaining IIS servers you have in your network.
► Export IIS1 certificate to a .pfx file
1. Log on to IIS1.
2. On the Start menu, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
3. Expand the local computer, expand the Web sites folder, and then click Default Web site.
4. On the Action menu, click Properties, and then click the Directory Security tab.
5. Click Server Certificate to open the Web Server Certificate Wizard.
Now, install the certificate into ISA1 using the .pfx file you have just created. Install the exported certificate
file into ISA1 using the following procedure.
► Install the certificate file (.pfx file) onto ISA1
1. Log on to ISA1.
2. Copy the .pfx file you saved to a removable media in the previous procedure, Export IIS1
certificate to a .pfx file, to a location on ISA1’s local drive.
3. On the Start menu, click Run, type MMC, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Available Standalone Snap-ins list, click Certificates, and then click Add to open the
certificates snap-in wizard.
After installing your certificate file into ISA1, install the certificate into your remaining IIS servers, if you have
more than one. Before you continue, make sure that you have installed IIS on all of your remaining IIS servers.
► Install the certificate file into remaining IIS servers
1. Log on to IIS1.
2. On the Start menu, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
3. Expand the local computer, expand the Web sites folder, and then click Default Web site.
4. On the Action menu, click Properties, and then select the Directory Security tab.
5. Click Server Certificate to open the Web Server Certificate Wizard.
6. On the Welcome to the Web Server Certificate Wizard page, click Next.
7. Select Copy or Move the current certificate to a remove server site, and then click Next.
8. Select Copy certificate from a remote server web site to this web site, clear the Mark cert as
exportable check box, and then click Next.
9. Type the server name you have assigned to IIS1 in the Server name box; leave the username and
password boxes blank, and then click Next.
10. In the Site Instance box, accept the default value, 1, and then click Next.
11. Click Finish, and the close IIS manager.
12. Repeat steps 1–11 for each of your remaining IIS servers.
Important: Make sure that the installation files and configuration files you use to deploy your applications
are from a trusted source. Configuration files make changes to server operating systems that can be
potentially damage your network.
Installation instructions for specific Microsoft Business Solutions applications are available on the Microsoft
Business Solutions Web site. See the installation guide for the specific application you want to deploy.
Testing Perimeter Network Access after Completing the Microsoft Perimeter Network
Configuration Wizard
After using the Perimeter Network Configuration Wizard, test for access to your network. Using a computer
that is connected to the Internet, but is located outside of your perimeter or internal networks, access your
network by going to your Internet host name.
Troubleshooting
Network interface cards are not displayed in Network Connections
• The network interface cards (NICs) might not be installed correctly. Open the server and make
sure that each NIC is seated tightly in its correct slot.
Network connections are not configuring correctly
• First, make sure the network is connected. Check the back of the server to see if the NIC has
been disconnected or if the NIC’s lights are flashing. If they are not, the network cable is either
faulty or it is not connected correctly. Find both ends of the network cable and make sure they
are both plugged into the correct ports.
• If the cables are connected correctly, open the Network Connections dialog box, right-click the
connection that is experiencing difficulties, and then click Repair. The network connection will
refresh network connection settings.
Glossary
The following section describes many of the terms used in the “Deploy Your Perimeter Network” section of
this document to help you understand the components you are working with while you are setting up your
perimeter network.
Certificate Services
Certificate Services provide an encrypted connection between client computers connecting from the
Internet and network resources in your internal network. Encryption is provided by 128-bit Secure Socket
Layer (SSL) technology, the same technology used by many online banking Web sites to help protect
user and transaction information.
Default Gateway
A gateway is a server that allows two different networks to communicate. The default gateway is the
computer in your network that forwards traffic originating from your internal network to destinations
outside of your perimeter network. When configuring TCP/IP settings for your network’s servers, you
need to specify a default gateway for your internal network servers. The Microsoft Perimeter Network
Configuration tool configures your perimeter network firewall server as your default gateway.
For this implementation, your default gateway for internal network resources will be your perimeter
network’s firewall server.
Domain Controller
A domain controller (DC) is a computer running Windows Server 2003 that manages user access to a
network, which includes logging on, authentication, and access to the directory and shared resources.
If you are already running Microsoft Business Solutions software inside your existing network, you will
have already set up a primary domain controller (PDC), and possibly a secondary domain controller, to
run those applications. If you do not have a primary domain controller, you must create one and
configure it properly to run in your internal network before setting up your perimeter network.
Firewall
A computer firewall is used to prevent unauthorized Internet users from accessing private networks
connected to the Internet. Computer firewalls can be created using both hardware and software, or a
combination of both.
IP Address
An Internet Protocol (IP) address determines the network location of a specific NIC. IP addresses can be
either dynamic (refresh each time a computer is rebooted) or static depending on the network
configurations.
An IP address is a 32-bit address used to identify a computer in a network. Each computer in the
network must be assigned a unique IP address. This address is typically represented in dotted-decimal
notation, with the decimal value of each octet separated by a period, for example, 192.168.7.27. IP
addresses can be either dynamic (refresh each time a computer is restarted) or static, depending on the
network configuration. In Windows Server 2003, you can configure the IP address statically or
dynamically through Dynamic Host and Configuration Protocol (DHCP).
For server computers in your internal and perimeter networks, assign static IP address. This is a
requirement of the Microsoft Perimeter Network Configuration Wizard.
Network Hub
A network hub is a device that routes data between computers in your network. Rather than connecting
computers directly to one another, a hub is a central connection point where all computers in a network
can connect and share network resources.
Network Switch
For this implementation, you might also deploy network switches. Like hubs, switches connect
computers to each other; however, they include a layer of technology that allows them to more
intelligently route network traffic. Network switches help conserve network bandwidth. Network switches
tend to be more expensive than hubs, but either device will work in this network.
This installation guide assumes that you are using network hubs.
Server Certificate
A unique digital identification that forms the basis of the Secure Sockets Layer (SSL) security features
on a Web site. Server certificates are obtained from a trusted, third-party organization called a
certification authority, and they provide a way for users to authenticate the identity of a Web site.
Subnet Mask
A subnet mask helps you identify where specific networks and computers are located. Network IDs and
host IDs within an IP address are distinguished by using a subnet mask. Typically, you will have a single
subnet mask that defines your local area network (LAN), such as 255.255.255.0. Computers and servers
will have different IP address, but they will all belong to a specific subnet, defined by your subnet mask.
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of networking protocols used in large
and small networks. It provides communications across interconnected networks made up of computers
with diverse hardware architectures and various operating systems. TCP/IP includes standards for how
computers communicate and conventions for connecting networks and routing traffic.
Figure 6
Microsoft CRM Network Architecture Example
Figure 7
Microsoft CRM Mobile Network Architecture Example
Figure 8
Microsoft Dynamics AX Enterprise Portal Network Architecture Example
Figure 9
Microsoft Dynamics Business Portal Network Architecture Example
Note: Some Microsoft Business Solutions applications may share a single server. If this is the case, record
the IP address of that shared server for both entries.
12 IIS1 IP address
20 DC1 IP address
23 DC2 IP address
25 SQL1 IP address
27 CRM1 IP address