One of our customers challenged us with a very specific requirement to limit access to their CRM to the users located in Australia. It’s always good to remember that CRM application server is a very sophisticated but a web site nevertheless and for a web site, we can use ipSecurity element in web.config that defines IP-based restrictions.

Step 1. Download list of IP addresses for your country (select web.config allow format)

Step 2. Find your CRM web.config file. By default it’s located in %ProgramFiles%\Microsoft Dynamics CRM\CRMWeb

Step 3. Insert <ipSecurity> element and add downloaded content so that part of your web.config looks like the following:

<configuration>
  ...
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false">
        <clear />
        <add 
           ipAddress="1.0.0.0" 
           subnetMask="255.255.255.0" 
           allowed="true" />
        <add 
           ipAddress="1.0.4.0" 
           subnetMask="255.255.252.0" 
           allowed="true" />
        ...

Note 1. We found that free lists of IP country blocks are a bit stale; if being up-to-date is important for you, consider one of the data subscription services available.

Note 2. Country-level is a very superficial protection. For example, nothing stops persistent user from provisioning a VM in Aamazon EC2 in Sydney and accessing CRM from that VM. What will work much better, however, is granting access to the listed individual IP addresses.

Note 3. List of IP addresses even for Australia is about 6.5K entries. Performance impact of looking up this table on every request is probably negligible but it’d be a good idea to measure.

This is unsupported modification and the usual disclaimer applies: use at your own risk, do not swallow and keep away from the children. Not tested on hobbits.