X

Exchange 2013 with Rights Management Connector (Part 3)

If you would like to read the other parts in this article series please go to:

Configuring Exchange 2013 to use RMS Connector

Now that we have installed and configured the RMS connector, we are ready to configure Exchange servers to use it:

  1. Installing RMS Connector (already discussed);
  2. Configuring RMS Connector (already discussed);
  3. Configuring Exchange 2013 to use the RMS connector;
  4. Protecting information.

So let us get started on steps 3 and 4.

Important:
After a server is configured to use the connector, client applications that are installed locally on that server might not work with RMS. When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported. Also, if Office is installed locally on an Exchange server, the client app’s Information Rights Management [IRM] features might work from that computer after the server is configured to use the connector, but this is not supported. In both scenarios, we must install the client applications on separate computers that are not configured to use the connector. They will then correctly use RMS directly.

Exchange

To use the RMS connector, Exchange servers must be running one of the following versions:

  • Exchange 2010 with Service Pack 3 Rollup Update 2;
  • Exchange 2013 with Cumulative Update 3.

RMS Client

We might also need to install on the server a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that we can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and 2012 R2 natively support Cryptographic Mode 2.

Note that if these versions (or later versions) of Exchange and the RMS client are not installed, we will not be able to configure Exchange to use the connector. In my case, I am running Exchange Server 2013 SP1 (CU4) on Windows Server 2012, so there is nothing required at this stage.

Registry

In order to configure Exchange servers to use the RMS Connector, we need to make some registry changes. To do this, we have two options: either automatically by using the server configuration tool for the RMS connector, or manually. The automatic method is preferred in most cases as it makes the entire process easier as we do not need to manually edit the registry, perform additional tasks to obtain our Microsoft RMS URL and the prerequisites are checked for us (but not automatically installed).

Let us start with the automatic method:

  1. If you have not already downloaded the script for the RMS server configuration tool (GenConnectorConfig.ps1), download it from the Microsoft Download Center;
  2. Save the GenConnectorConfig.ps1 file on the computer where you will run the tool. If you run the tool locally, this must be the server that you want to configure. Otherwise, you can save it in any computer;
  3. Decide how to run the tool:
    • Locally: we can run the tool interactively from the server to be configured. This is useful for a one-off configuration, such as a testing environment;
    • Software deployment: we can run the tool to produce registry files that we then deploy to one or more relevant servers by using a systems management application that supports software deployment, such as System Center Configuration Manager;
    • Group Policy: we can run the tool to produce a script that we use to then create Group Policy objects for the servers to be configured. This script creates one Group Policy object for each server type to be configured, which we can then assign to the relevant servers.
  1. Open an elevated PowerShell prompt and use the Get-help command to read instructions on how to the use the tool for your chosen configuration method: Get-help GenConnectorConfig.ps1 -detailed

When the tool runs, it prompts us to enter the URL of the RMS connector for our organization. Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that we defined in DNS for the load balanced address of the connector. In my case, this is https://rms.letsexchange.com. The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.

For this scenario, I am simply running script locally on my Exchange servers:

.\GenConnectorConfig.ps1 –ConnectorUri https://rms.letsexchange.com –SetExchange2013


Figure 3.1: Configuring the Registry for RMS Connector

If you prefer to manually configure Exchange servers to use the RMS connector, first we need to get our MicrosoftRMSURL – our organization’s Microsoft RMS service URL. To find this value, run the Get-AadrmConfiguration cmdlet for Azure RMS. From the output, identify the LicensingIntranetDistributionPointUrl value:


Figure 3.2:
Azure RMS MicrosoftRMSURL

From the value, remove “/_wmcs/licensing” from the string. The remaining string is our Microsoft RMS URL, in my case: https://fdd29f33-2557-4593-8050-fb1258655256.rms.eu.aadrm.com

Next we need our ConnectorFQDN which is the name we defined in DNS for the connector, https://rms.letsexchange.com in my case.

Then we need to manually configure 4 registry keys:

Exchange 2013 registry settings

Registry path

Type

Value

Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\Activation

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/Licensing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\CertificationServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/certification

http(s)://ConnectorFQDN/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/licensing

http(s)://ConnectorFQDN/_wmcs/licensing

Table 1

Exchange 2010 registry settings

Registry path

Type

Value

Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\Activation

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\ServiceLocation\EnterprisePublishing

Reg_SZ

Default

https://MicrosoftRMSURL/_wmcs/Licensing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\CertificationServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/certification

http(s)://ConnectorFQDN/_wmcs/certification

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirection

Reg_SZ

https://MicrosoftRMSURL/_wmcs/licensing"

http(s)://ConnectorFQDN/_wmcs/licensing

Table 2

Exchange IRM Functionality

The next step is to ensure that in our Exchange environment, IRM is enabled for internal messages. This will allow us to create transport protection rules and Outlook protection rules to IRM-protect messages in transport and on Outlook clients. Enabling IRM for internal messages is a prerequisite for all other IRM features in Exchange, such as transport decryption, journal rule decryption, IRM in Outlook Web App, and IRM in ActiveSync.

To enable IRM for internal messages for the Exchange organization, we use the EMS and run the following cmdlet:

Set-IRMConfiguration -InternalLicensingEnabled $True

To test IRM, we use the Test-IRMConfiguration cmdlet. Ensure that all the URLs are correctly set to the RMS Connector address and that all tests pass successfully:


Figure 3.3: Testing IRM Functionality

If you receive an error stating that “failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC)”, this is because IRM features in Exchange require that Exchange servers be granted permissions to read and execute the AD RMS server certification pipeline (ServerCertification.asmx). To ensure that they do:

  1. Log on to the RMS Connector servers;
  2. Navigate to %systemdrive%\Program Files\Microsoft Rights Management connector\Web Service\certification;
  3. Right-click ServerCertification.asmx, and then click Properties;
  4. In the ServerCertification.asmx Properties dialog box, click the Security tab;
  5. Click the Continue button or the Edit button;
  6. In the Permissions for ServerCertification.asmx dialog box, click Add;
  7. In the Select User, Computer, Service Account, or Group dialog box, click Object Types, select the Computers check box, and then click OK;
  8. Type Exchange Servers to add the Exchange Servers group;
  9. Click Check Names, and then click OK;
  10. Under Allow, make sure that the Read & execute and the Read check boxes are selected;
  11. Click OK.
  12. Repeat steps above on all other RMS Connector servers.

If you now re-run the test, it should pass successfully.

Protecting Information

Now that the RMS connector is installed and configured, and our Exchange servers are configured to use it, users can protect and consume IRM-protected e-mail messages:


Figure 3.4: Protecting E-mail in Outlook using RMS

Conclusion

In this article series we looked at how to integrate the new RMS Connector with an Exchange 2013 environment to help users IRM-protect their e-mails.

If you would like to read the other parts in this article series please go to: