In looking for solutions for some exotic security architecture for MSCRM deployment, I found out a not well known fact is that Forefront Universal Application Gateway (UAG) has a template to publish MSCRM 2011 and 4.0; the MSCRM 2011 publishing was released in Forefront UAG Service Pack 1 Update 1.
This offer quite a few advantages and a big drawback (see here below)
The advantages of using this mode are the following :
Control downloads and uploads─For example, you can prevent file downloads for unmanaged client endpoints, or for endpoints that do not comply with corporate access policy.
Control data export─You can control who exports CRM data to Excel, and from where.
Provide session clean-up capabilities─You can clean an endpoint cache and temporary files after a session ends.
Control session access─Forefront UAG adds timeout and logoff functionality to reduce the risk of session hijacking.
Provide frontend authentication─You can authenticate clients on the Forefront UAG server, to ensure that only authenticated traffic reaches backend CRM servers. Forefront UAG provides a variety of frontend authentication mechanisms, including strong authentication using smartcards and one-time passwords.
Provide backend authentication─Forefront UAG provides single sign-on so that clients need to authenticate once only. Credentials provided for session access to Forefront UAG sites can be delegated to backend CRM servers that require authentication. Forefront UAG also supports Active Directory Federation Services (ADFS).
Verify endpoint health─You can configure access policies using Forefront UAG inbuilt policies, or using Network Access Protection (NAP) policies downloaded from a Network Policy Server (NPS). Only clients complying with the policies can access Forefront UAG, and backend CRM servers
The big drawbacks is the following :
"Publishing Dynamics CRM 2011 via Forefront UAG does not support the Dynamics CRM client for Outlook."
Obviously, this is a big drawback but in some scenarii, like the one I was assessing, Outlook integration is out of scope so it's quite a valid possibility.
Furthermore, using UAG, you can activate IFD mode in MSCRM 2011 without using claims based authentication (see http://technet.microsoft.com/en-us/library/hh490315.aspx), so no need for ADFS.
Of course, you can also use it with claims based authentication (http://technet.microsoft.com/en-us/library/hh490310.aspx)