Azure Right Management Services (Azure RMS)


Azure RMS Design and Architecture.

Azure Rights Management (often abbreviated to Azure RMS) is the protection technology used by Azure Information Protection.

This cloud-based protection service uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devices—phones, tablets, and PCs. Information can be protected both within your organization and outside your organization because that protection remains with the data, even when it leaves your organization’s boundaries.

Onprimes Azure RMS devided into tow parts:

  1. Righ Managment Services Connector
  2. Azure Information Protection Scanner

RMS

Right Management Services Connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.

  1.   RMS Connector Prerequisites

# of Server Core RAM HDD OS/Domain Internet Access
2 4 8 200 · Windows 2016 updated up to date & Joined to Domain with one NIC connect to LAN.

·Domain Admin user required for the installation.

· Azure Global Admin required for the installation.

·Required. with No Authentication

 

·Recommendation is to allow the connector anonymous access to the Internet destinations.

Design and Archeticture

  • Activate Azure Rights Management
  • After RMS is activated, Azure Active Directory must be configured to work with the users and groups in your Active Directory database.
  • A minimum of two member computers on which to install the RMS connector.
  • Access to the Internet via a firewall (or web proxy) that does not require authentication.
  • Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector.
  • DNS load Balance name for RMS connectors https://rmsconnector.pif.gov.sa with port 443 , Affinity = None , Distribution method = Equal
  • One Public IP Address and Public DNS Name for RMS connector Name
  • On Exchange servers, a version 1 of the RMS client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. Must be exist.
  • A server running SharePoint 2016 or SharePoint 2013 must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector.
  • File Server must be minimum windows server 2012
  • Exchange Server 2010 minimum
  • SharePoint 2010 minimum
  • Can’t change name of RMS connector after configure Exchange and SharePoint to use the RMS
  • TLS or SSL , Need Public SSL Certificate for the RMS connector with HTTPS port 443
  • RMS can be configure to use web proxy server if the connector does not have direct internet access.
  • The ROOT CA for RMS Connector must be installed on the Exchange and SharePoint Server, and must these server able to download a certification revocation list (CRL)
  • In all cases, you must manually install any prerequisites and configure Exchange, SharePoint, and File Classification Infrastructure to use Rights Management.
  • For Automatic classify and protect file, Azure Information Protection Scanner must be deployed.
  • labels are stored in emails and documents
    • In emails, this information is stored in the x-header: msip_labels: MSIP_Label_<GUID>_Enabled=True;
    • For Word documents (.doc and .docx), Excel spreadsheets (.xls and .xlsx), PowerPoint presentations (.ppt and .pptx), and PDF documents (.pdf), this metadata is stored in the following custom property: MSIP_Label_<GUID>_Enabled=True
  • The Azure Information Protection client supports classification and labeling, in addition to protection. This client integrates with Office applications and must be installed separately.
  • The Rights Management (RMS) client is automatically installed with some applications, such as Office applications, the Azure Information Protection client, and RMS-enlightened applications from software vendors.
  • When set protection on files or emails by using the Azure Rights Management service from Azure Information Protection and you do not use a template, you must configure the usage rights yourself
  • Configure The super user feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization.
  • By default, the super user feature is not enabled, and no users are assigned this role. It is enabled for you automatically if you configure the Rights Management connector for Exchange, and it is not required for standard services that run Exchange Online, SharePoint Online, or SharePoint Server.

 

Azure Information Protection Scanner

When you have configured your Azure Information Protection policy for labels that apply automatic classification, files that this scanner discovers can then be labeled. Labels apply classification, and optionally, apply protection or remove protection.
The scanner can inspect any files that Windows can index, by using iFilters that are installed on the computer. Then, to determine if the files need labeling, the scanner uses the Office 365 built-in data loss prevention (DLP) sensitivity information types and pattern detection, or Office 365 regex patterns. Because the scanner uses the Azure Information Protection client, it can classify and protect the same file types.

AIP.png

1.1.1       Scanner Prerequisites

# of Server Core RAM HDD OS/Domain Internet Access SQL Database
1 8 16 100 · Windows 2016 updated up to date & Joined to Domain with one NIC connect to LAN.

· Domain Admin user required for the installation.

· Azure Global Admin required for the installation.

· Required. with No Authentication

 

· Recommendation is to allow the connector anonymous access to the Internet destinations.

· SQL Server 2012 minimum (STD or Ent)

Design and Archeticture

  • Windows Server 2016 or Windows Server 2012 R2.
  • fast and reliable network connection to the data stores to be scanned
  • Make sure that this computer has the Internet connectivity that it needs for Azure Information Protection
  • SQL Server 2012 is the minimum version ( Standard, Enterprise)
  • SQL Server to store the scanner configuration:
    • Local or remote instance
    • Sysadmin role to install the scanner
  • Service account to run the scanner service
    • Log on locallyright
    • Log on as a service
  • Permissions to the data repositories: You must grant Read and Write permissions for scanning the files and then applying classification and protection
  • To ensure that the scanner always has access to protected files, make this account a super user for the Azure Rights Management service, and ensure that the super user feature is enabled.
  • The Azure Information Protection client is installed,. Do not install the client with just the PowerShell module.
  • Configured labels that apply automatic classification, and optionally, protection

 

Design Summary

  • RMS Service Activated
  • Users Sync must be applied to use the service
  • 2 RMS Connector Servers with Load balance
  • 1 RMS Scanner
  • 1 Public SSL Certificate
  • 1 Public IP with 1 Public DNS Name
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s