Last week I worked with a client that went live with their IFD implementation for CRM On-premise. The whole setup of the IFD ran smoothly for the internal and external access, firewall and TMG rules have been updated in place. However, we hit a problem when one of the main integration point, that usually has quite heavy traffic, does not work properly. So after some amount of time spent to troubleshoot, we finally just barely finished the deployment 3 minutes before the planned rollback as the previous system testing was failed.
So, the main reason of the problem is the incompatibility of SHA256 certificate that we used for the IFD with the older infrastructure (Windows Server 2003) where the integration to CRM was hosted. Luckily we found a KB Article and the hotfix for SHA256 compatibility with Windows Server 2003 and Windows XP: http://support2.microsoft.com/kb/938397. Once the hotfix from applied to the server the integration works properly.
The selection of SHA256 certificate itself was driven by the plan of deprecation of SHA128: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx.
In conclusion, I learned something new to be reminded when deploying the latest technology (updates or upgrades or even simple certificate change), consider the existing systems, especially the one that going to be not supported anymore, whether they are going to work or not.