Using the CRM Outlook client without a VPN Connection

In version 3.0, the CRM Outlook client could only use Active Directory (AD) authentication to connect to servers. To connect from outside the workplace network, a VPN solution was therefore required. However, this requirement increased complexity, and sometimes was impossible to meet if bandwidth was limited.

Version 4.0 includes a new authenticated mode, called Internet Facing Deployment (IFD) mode, specifically designed to eliminate the VPN requirement. The Implementation Guide – “Sample Server XML Configuration File for Internet-Facing Deployments” section provides instructions to configure CRM Servers in IFD mode.

To enable the Outlook client to take advantage of this new capability, select the “My company” option during configuration. For configuration to succeed, the Outlook client must be able to connect to the server using AD authentication. Also, ensure that at least one server has already been configured in IFD mode.


Next, the wizard prompts for both an intranet and an internet server URL. Enter the internal discovery service URL in the text box labeled “Intranet address”. Enter the discovery service URL exposed to the internet in the text box labeled “Extranet Web address”. Step through the wizard to complete configuration.


After configuration, the Outlook client will automatically select the appropriate authentication mode. To detect when switching authentication mode may be required, the Outlook client detects IP changes, which should occur when joining or leaving a network. Users may receive balloon notifications indicating the Outlook client is trying to apply the appropriate authentication method.


To implement authentication switching, the Outlook client first attempts to connect using AD authentication. If this fails, it attempts to connect using IFD authentication. If credentials are not cached, an authentication dialog is displayed. You can request that credentials be cached by checking the “Remember my password and connect me automatically” option, in which case this dialog should not be displayed any more. If cached credentials expire or become otherwise invalid, this dialog will of course reappear.


In IFD mode, the Outlook client submits specified credentials to the external discovery service endpoint, and receives a CRM authentication ticket in exchange. Since specified credentials are transmitted over the network, using SSL is strongly recommended to prevent interception. The CRM authentication ticket is persisted in the IE cookie jar. Subsequent requests therefore automatically carry the cookie, which the server of course verifies.

The Outlook client also obtains Internet web application and web service URLs from the external discovery service endpoint. The Outlook client refreshes Outlook CRM web folders to point to the correct web application URL. If authentication fails, and the Outlook client is offline-enabled (and has synchronized offline data at least once), it automatically moves to the offline state, allowing the user to work in disconnected mode.

When the Outlook client re-joins the workplace network, an IP change is detected, and a similar procedure is applied. First, the cookie is deleted, and AD authentication is attempted. If this succeeds, the Outlook client obtains intranet web application and web service URLs from the internal discovery service endpoint, and again refreshes Outlook CRM web folders accordingly.

If credentials are cached, such authentication changes should be transparent, allowing users to work without interruption as laptops roam between various locations.

Navin Thadani

Comments (10)

  1. Mark N says:

    When using the IFD tool from the MS download center, what are the potential repercussions of configuring a server for IFD?  Does the CRM server require a restart before changes are enforced?  What rollback planning should be taken in account before attempting an IFD configuration?



  2. Jij says:

    Consider a scenario where i have Domain AD users accessing their company

    Mails using outlook web access (for e.g. These

    are sales guys whose machines are not on the company network, but have their

    user information on the company AD. Now if these users are also CRM users,

    can they be provided access to CRM 4.0 from the same Outlook web access

    interface ? Is this feasible with CRM 4.0? Can we have an interface that

    talks to Exchange server using rpc over http for all mails and calendar

    information and then for the CRM access, use https protocol. (even if it

    means that the user would have to provide credentials twice)

    Any replies would be greatly appreciated as we have to reply a customer at

    the earliest.

  3. Kuven says:

    Help please

    Some help will be greatly appreciated.

    my domain is

    My org name is Contoso

    I have setup my IFD using the tool to point to

    I have created DNS entries and resolved everything correctly.

    When I try to login from external, I cannot connect using the Outlook client. I get the sign in page, however it fails to connect. If I browse via the IE to the same site , I get given an ISA server forms authentication page. If I enter the credentials I get into CRM.

    What am I missing??

  4. Shai says:

    Hi guys.

    Lets say i want outlook to work with IFD.

    Server is configured OK.

    Must I configure it using VPN / direct domain connection?

    What if I want to connect a computer from another country, that cannot connect directly to the domain or use VPN?

    I dont understand, if the feature exists – why must it connect once during configuration?!

    Please let me know if it can be done, hopefully I am mistaken.

    Thanks, Shai.

    (plz email me: shai(at)

  5. Disabled Outlook in CRM 4.0 – Causes, Fixes and Cures

  6. cdappah says:

    The documentation above is great, but I have some specific question I wasn’t sure if I get the answers from there. This is my situation we are preparing a CRM 4 upgrade, but the CRM server is going to reside in a seperate domain and users workstations are joined to seprate domain these domain will not be trusted. I understand the CRM Online will resolve the problem it gives us the ability to access over the internet without VPN. What I would like to do is to access CRM over the internet using the outlook client. which your documentation advised it is possible, but is it also possible if Outlook point to an exchange server that is on the network that the workstations are joined to.


  7. Anya Vigdorchik says:

    Hi, Can you please tell me what this may do the performance of your computer if you use the outlook plug-in that supports offline feature.  I am concerned about communicating out to install the offline feature.


  8. Rahul says:


    I am facing a diffrent problem. I have installed the CRM 4 server, created users & roles. I am able to access the crm site from Internet explorer but while configuring the CRM client I am facing problems. I have given the same URL in the Web address configuration window, but it is giving error that "unable to connect to remote server" I am using active directory for aunthetication.

    Can someone help me?

    Waiting for the reply,


  9. John Green says:

    Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article.

Skip to main content