Right Management Services Connector

On primes Right Management Services Connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.

1.1.1       RMS Connector Prerequisites

Design and Archeticture

• Activate Azure Rights Management
• After RMS is activated, Azure Active Directory must be configured to work with the users and groups in your Active Directory database.
• A minimum of two member computers on which to install the RMS connector.
• Access to the Internet via a firewall (or web proxy) that does not require authentication.
• Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector.
• DNS load Balance name for RMS connectors https://rmsconnector.pif.gov.sa with port 443 , Affinity = None , Distribution method = Equal
• One Public IP Address and Public DNS Name for RMS connector Name
• On Exchange servers, a version 1 of the RMS client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. Must be exist.
• A server running SharePoint 2016 or SharePoint 2013 must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector.
• File Server must be minimum windows server 2012
• Exchange Server 2010 minimum
• SharePoint 2010 minimum
• Can’t change the name of the RMS connector after configuring Exchange and SharePoint to use the RMS
• TLS or SSL, Need Public SSL Certificate for the RMS connector with HTTPS port 443
• RMS can be configured to use a web proxy server if the connector does not have direct internet access.
• The ROOT CA for RMS Connector must be installed on the Exchange and SharePoint Server, and must these servers able to download a certification revocation list (CRL)
• In all cases, you must manually install any prerequisites and configure Exchange, SharePoint, and File Classification Infrastructure to use Rights Management.
• For Automatic classification and protection files, Azure Information Protection Scanner must be deployed.
• labels are stored in emails and documents
  • In emails, this information is stored in the x-header: msip_labels: MSIP_Label_<GUID>_Enabled=True;
  • For Word documents (.doc and .docx), Excel spreadsheets (.xls and .xlsx), PowerPoint presentations (.ppt and .pptx), and PDF documents (.pdf), this metadata is stored in the following custom property: MSIP_Label_<GUID>_Enabled=True
• The Azure Information Protection client supports classification and labeling, in addition to protection. This client integrates with Office applications and must be installed separately.
• The Rights Management (RMS) client is automatically installed with some applications, such as Office applications, the Azure Information Protection client, and RMS-enlightened applications from software vendors.
• When set protection on files or emails by using the Azure Rights Management service from Azure Information Protection and you do not use a template, you must configure the usage rights yourself
• Configure The superuser feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization.
• By default, the superuser feature is not enabled, and no users are assigned this role. It is enabled for you automatically if you configure the Rights Management connector for Exchange, and it is not required for standard services that run Exchange Online, SharePoint Online, or SharePoint Server.