Upload
marlene-houston
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
RMS in Exchange OnlineJoe SchulmanProgram Manager, Forefront For Office
Microsoft Confidential
Agenda
• What is RMS?
• Supported Topologies
• How to deploy RMS to customers in Exchange Online
Microsoft Confidential
What is RMS?
• Rights Management Services is a Windows component that enables applications to protect content.• Protect = Encrypt and Usage Rights (DRM)• http://technet.microsoft.com/en-us/library/cc771627.aspx • http://en.wikipedia.org/wiki/Rights_Management_Services
• First shipped in Windows Server 2003 timeframe, latest release was Server 2K8 R2
• RMS is integrated in Microsoft products• Office clients (Excel, Word, PowerPoint, Outlook)• SharePoint
• Exchange (as IRM)
3Microsoft Confidential
| Copyright© 2010 Microsoft Corporation
RMS in Exchange
• RMS integrated as Information Rights Management (IRM) in• Exchange 2010 SP1 (includes OWA)• Exchange Online in Office 365 beta
• IT Pros configure using RMS Server and Exchange PowerShell cmdlets
• End users experience RMS in Office clients and OWA
• Exchange Server cracks open RMS content automatically to enable common features• Transport routing• Indexing for search• Viewing in OWA• Unified Messaging (private voicemails)
| Copyright© 2010 Microsoft Corporation
ProtectIRM Support
• Persistent protection • Protects your sensitive information no matter where it is sent• Usage rights locked within the document itself• Protects online and offline, inside and outside of the firewall
• Granular control • Users apply IRM protection directly within an email• Organizations can create custom usage policy templates such
as "Confidential—Read Only"• Limit file access to only authorized users
Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an email.
Granular protection that travels with the data
Supported Topologies
| Copyright© 2010 Microsoft Corporation
On-premise IRM
Contoso Inc.
AD RMS Server
Exchange Server 2010
• Same deployment as with Exchange 2007
• Exchange depends on AD RMS Server to decrypt and encrypt content
| Copyright© 2010 Microsoft Corporation
Business-to-Business IRM
Exchange Server 2010
Microsoft Federation Gateway
Contoso Inc. Fabrikam Inc.
Partners can: • Read/reply to externally
protected mail in Outlook Web App
• Decrypt protected mail to search, journal, filter, apply transport rules
Extend Exchange 2010 IRM capabilities to partners*
AD RMS Server
Organizations set up trust through Microsoft Federation Gateway.Fabrikam contacts RMS server for Use License.Protected message is sent to Fabrikam recipient.Fabrikam decrypts message for indexing, search, etc.Recipient reads/replies to protected message in Outlook Web App.
Exchange Server 2010
*Requires Exchange Server 2010 Service Pack 1
| Copyright© 2010 Microsoft Corporation
Exchange Online IRM (no on-premise Exchange)
Contoso Inc.
AD RMS Server
Exchange Online
Embedded RMS Server
Exchange Online: • Uses embedded RMS Server
for encrypting and decrypting• Requires on-premise for
managing RMS templates
Outlook
OWA and Mobile
Configuring RMS in Exchange OnlineHow to enable RMS in Office 365
| Copyright© 2010 Microsoft Corporation
Today’s demo: Enabling RMS in Exchange Online• We want to enable information workers to send rights-
protected content with Exchange Online
• Four steps:• 1. Configure on-premise RMS server, export TPD
• 2. Import TPD in Exchange Online
• 3. Make templates visible to users
• 4. Enable IRM in Exchange Online
| Copyright© 2010 Microsoft Corporation
Waving my hand – Configuring RMS Templates• Step 1: Configure on-premise RMS, create RMS templates• Great documentation http://
technet.microsoft.com/en-us/library/cc731599.aspx
• Two key concepts• RMS Templates
• Options end-users can select to protect mail• Defines usage rights• E.g. “All Microsoft FTE – Read Only”
• Trusted Publishing Domain• 10k-foot view: this is the tenant’s private key for encrypting content• Only step is to export it:
http://technet.microsoft.com/en-us/library/ee221062(WS.10).aspx
• Assume you followed the guides with on-premise RMS and have your TPD
| Copyright© 2010 Microsoft Corporation
Connect to PowerShell in Exchange Online
• Guide: http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1
• $LiveCred = Get-Credential -Credential• $Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
• Import-PSSession $Session
| Copyright© 2010 Microsoft Corporation
Connecting to PowerShell
| Copyright© 2010 Microsoft Corporation
Step 2: Import TPD in Exchange Online
• Run Import-RMSTrustedPublishingDomain• Must be used for each TPD you need to import• Also imports RMS templates
• Import-RMSTrustedPublishingDomain• -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to
exported TPD, i.e., c:\tpd.xml>" -ReadCount 0))• -Name "TPD Name“• -ExtranetLicensingUrl https://<external rms cluster
hostname>/_wmcs/licensing• -IntranetLicensingUrl https://<internal rms cluster
hostname>/_wmcs/licensing
• The documentation for this is not yet public
| Copyright© 2010 Microsoft Corporation
Importing the TPD
| Copyright© 2010 Microsoft Corporation
Step 3: Make templates visible to users
• By default templates are “Archived” and not visible.
• To see all templates:• Get-RMSTemplate -Type:All
• To make our new template “Distributed” (i.e. visible)• Set-RMSTemplate -Identity <template identity> -Type:Distributed
• Note: Do Not Forward is Exchange and Outlook-specific – it cannot be modified
| Copyright© 2010 Microsoft Corporation
Step 4: Enable IRM in Exchange Online
• Simply flip the IRM switch:• Set-IRMConfiguration -InternalLicensingEnabled $true
| Copyright© 2010 Microsoft Corporation
End users immediately see the changes in OWA
| Copyright© 2010 Microsoft Corporation
Sending the sensitive message
| Copyright© 2010 Microsoft Corporation
Recipient Experience
| Copyright© 2010 Microsoft Corporation
Replying to a Message
| Copyright© 2010 Microsoft Corporation
More Information
• Using Exchange PowerShell in Office 365• http://help.outlook.com/en-us/beta/cc952755.aspx?sl=1
• RMS Overview• http://technet.microsoft.com/en-us/library/cc771627.aspx
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Confidential
AppendixExtra commands for other common configuration steps and marketing slides
| Copyright© 2010 Microsoft Corporation
Notes on Import-RMSTrustedPublishingDomain• When prompted for a password, enter the password used
during export of the TPD from AD RMS.
• When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange will support up to 20 templates per TPD.
• The URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premise AD RMS cluster.
| Copyright© 2010 Microsoft Corporation
Changing the default TPD
• The first TPD is assumed the default (which is why we didn’t configure it). If you want to change the default TPD, use cmdlet:
• Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default
• Users only see templates from the default TPD, but they can decrypt content from any TPD
| Copyright© 2010 Microsoft Corporation
Updating Exchange Online with new TPD
• Same Import-RMSTrustedPublishingDomain cmdlet, just with –RefreshTemplates switch
• $data = [byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., c:\tpd.xml>" -ReadCount 0)
• Import-RMSTrustedPublishingDomain -FileData $data -Name "TPD Name" -RefreshTemplates
| Copyright© 2010 Microsoft Corporation
Transport Protection Rules
• IRM protection can be triggered based on sender, recipient, content and other conditions
• Office 2003, 2007, and 2010 attachments also protected
Apply RMS policies automatically using Transport Rules
Apply “Do Not Forward” or custom RMS templates
Automatically apply IRM
Protect
| Copyright© 2010 Microsoft Corporation
IRM protection can still be applied manually
User can be granted option to turn off rule for non-sensitive email
Adding recipient or distribution list can trigger IRM protection automatically before sending
Protect
Provide users for IRM protection optionsOutlook Protection Rules
| Copyright© 2010 Microsoft Corporation
IRM in Outlook Web App
Native support for IRM in Outlook Web App eliminates need for Internet Explorer Rights Management add-on
Protected messages can be viewed as WebReady Documents
Access to standard and custom RMS templates
Access protected messages online
• Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages
Protect
| Copyright© 2010 Microsoft Corporation
IRM Search
Conduct full-text search of IRM-protected mail in Outlook (online), Outlook Web App, and multi-mailbox search
Index and search protected items
Protect
Content within protected attachments can also be searched
Protected voicemail
| Copyright© 2010 Microsoft Corporation
“Do Not Forward” template
• Integration with AD RMS and Exchange Unified Messaging
• Permissions designated by sender (by marking the message as private) or by administrative policy
Protected VoicemailPrevent forwarding of voicemail
Protect
Protect All messages or only messages marked Private