As you may already know, one of the most complicated task for IT and security guys is to ensure sensitive corporate data are well protected.

To help them in this task, Microsoft has introduced a technology called Right Management Services (RMS) since about a decade (first release has been provided with Windows Server 2003 as additional downloadable component). Since then and the move to the cloud, RMS has been also made available for Office 365 customers based on the Azure RMS.

That said, the On Premises RMS version has (at least) one limitation which is you can not share RMS protected document with external peoples – you need either to create (and so manage) a user account on your Active Directory for those peoples or implement a federation with the external organization which requires this organization to implement ADFS too; on the other side, Azure RMS can help sharing such protected document with external people BUT does not deliver On Premises protection, meaning you can not use Azure RMS to protect On Premises files share, SharePoint sites or Exchange mail flows.

Good news Smile, Microsoft has provided an RMS connector to help you to use Azure RMS on your On Premises systems.

To do, you just have to

  1. Enable Azure RMS (either on your Office 365 tenant or if you don’t have Office 365 on your Azure tenant),
  2. Implement (if not done yet) directory synchronization with Azure Active Directory Services (you know, the well know DirSync for Office 365 or the new tool AAD Connect – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=631)
  3. Optionally but recommended (also if not yet done) implement federation using ADFS
  4. And finally install the connector and configure your On Premises systems to use Azure RMS (SharePoint, Exchange or file shares)

 

I will not go through the first 3 steps – Azure RMS activation, directory synchronization and federation as there is already lot of documentation available – even in this blog Smile. So, let start with the connector installation and systems configuration.

 

Download and Install the Azure RMS connector

There is 3 files available for download

    • GenConnectorConfig.ps1 – PowerShell script to configure authorized servers to use the RMS connector (run either locally on the authorized server or using a Group Policy)
    • RMSConnectorAdminToolSetup_x86.exe – install the RMS connector console on 32 bits client (not the 32 bits version of the connector)
    • RMSConnectorSetup.exe – the connector setup itself, or the remote console

The connector can be installed in Windows Server 2008 R2 to 2012 R2. If you plan to implement high availability, you have to install it on at least 2 different server.

During the installation, IIS and all required features will be installed if not already installed on the server.

You can use the setup program to install the Azure RMS console on a remote client – if your client does not meet the requirements to install the connector itself, you will be proposed to install the console only automatically. This console allows you to manage authorized servers for the connector use

This is not needed to use dedicated server to host the connector BUT do not install it on Exchange, SharePoint or file shares servers to be protected with the connector.

The connector setup is very simple, just follow the install wizard to install it; there is no specific settings here except the tenant credentials to be entered

NOTE 1 if the administrator tenant credentials is using MFA (multi factor authentication), the setup will failed; I recommend to use a dedicated account, similar to one used for the Directory Synchronization installation. The error you will get does not clearly say MFA is not supported but user name and password combination is not correct.

NOTE 2 the credentials used here MUST be either Office 365 Global Administrator, RMS Tenant Global Administrator or Azure RMS Connector Administrator. If you plan to use an RMS account, see later in this post for connecting to the Azure RMS tenant and configure privileged account

imageimage

imageimage

 

Authorizing the use of Azure RMS Connector

Once the connector installation has been completed, the first thing is to allow the hosting server to use the Azure RMS connector.

At the end of the installation, the wizard proposes to launch the console to authorize the server. If not or if you closed the wizard without launching the console, just start if from the Start menu

image

On this console, you just have to add the server(s) allowed to use the RMS connector – such as the file share server, Exchange or SharePoint server.

image

When adding a server, you have to define which server type – Exchange, SharePoint or File Share – and an account – either service or computer account

image

Recommendations

  • For Exchange servers, use the default Exchange Servers group to automatically allow all Exchange servers
  • For SharePoint servers, use the service account used to run the SharePoint application pool
  • For file servers, use the server account or a dedicated groups containing all file servers to be allowed to use the connector

 

Configure RMS Connector to use HTTPS

As the RMS connector uses an IIS web site, by default it is using HTTP traffic; as for any sensitive HTTP communications, it is recommended to use HTTPS.

To enable RMS connector for HTTPS use, just open the IIS console and bind the HTTPS port (443) with a certificate; you can either use your internal Certification Authority or a public one.

You can also configure a binding using a generic URL instead of the server name; this is required if you plan to use load balancing for high availability. This is also recommended even if you deploy one RMS connector server.

Do not change this URL after you have configure Exchange, SharePoint or file servers to use RMS connector.

 

Configure Exchange and/or SharePoint servers

Exchange Server

Exchange 2010 SP3 with CU 6 or Exchange 2013 CU 3 (or later) is supported for the RMS connector use.

You need to install an updated version of the RMS client if you are running Windows Server 2008 or Windows Server 2008 R2 to support RMS Cryptographic Mode 2 (Windows Server 2012/2012 R2 already support it)

Run the PowerShell script to configure Exchange server to use the connector (don’t forget, always run the script using the Run as administrator).

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

It will ask you for the RMS connector URL (your RMS connector server(s))

image

Once this has been completed, you have to enable Exchange for RMS – see http://technet.microsoft.com/en-us/library/dd351212(v=exchg.150).aspx

By the way, to enable RMS on Outlook Web Access for On Premise you have to run the following command on Exchange Set-OWAVirtualDirectory –IRMEnabled $true

 

SharePoint Server

SharePoint 2010 or SharePoint 2013 are supported for the RMS connector use.

As for Exchange Server, if you are not running Windows Server 2012/2012 R2, you need to update the RMS client

Run the PowerShell scripts to configure SharePoint server to use the connector (don’t forget, always run the script using the Run as administrator)

This script automatically creates and updates registry keys – if you want to do it manually, just read the script to get the keys and values

As for Exchange, once this has been completed, you have to setup SharePoint for RMS use – see http://technet.microsoft.com/en-us/library/hh545608(v=office.14).aspx

 

Configure the connector to use a proxy server

If you are using a proxy server, you may have to configure the RMS connector to use this proxy

Unfortunately, there is no interface available to do so; you have to manually update the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector and add a String key called ProxyAddress with the proxy settings as value (like http://proxyserver:8080)

 

Configure Azure RMS privileged account

To configure privileged Azure RMS account, you need to use the PowerShell module for Azure RMS – available at http://technet.microsoft.com/en-US/library/jj585012.aspx

Then run the following commands

  • Connect-AadrmService and provide an existing administrator credentials
  • Add-AadrmRoleBasedAdministrator -EmailAddress <email address> -Role "GlobalAdministrator"