4. Applying IRM with Transport Rules
Once IRM integration
with Exchange Server 2010 has been implemented, the action Rights
Protect Message With RMS Template can be selected for a transport rule,
as shown in Figure 7.
The RMS template selected can be any distributed rights policy template
configured on the AD RMS cluster or the Do Not Forward client-side
template. IRM protection can be selected as an action for a rule on a
Hub Transport server only.
Figure 7. Applying IRM protection via a transport rule
5. Configuring AD RMS for Exchange Server 2010
Before you can use the
IRM functionality in Exchange Server 2010, you must configure your AD
RMS infrastructure. Your AD RMS cluster must be Windows Server 2008 R2
or Windows Server 2008 SP2 with hotfix 973247, and the AD RMS Service
Connection Point (SCP) must be registered in Active Directory. In
addition, the AD RMS server certification pipeline must be enabled and
access granted to the Active Directory Exchange Servers group; this
must be configured on each server in your AD RMS cluster.
Finally, to enable IRM in Outlook Web App, IRM for Exchange Search, transport decryption, or journal
report decryption, the Federated Delivery Mailbox must be granted Super
Users privileges in the AD RMS cluster. The Federated Delivery Mailbox
is a hidden system mailbox that is created by Exchange 2010 Setup; the
Active Directory account associated by this mailbox is disabled by
5.1. Registering the AD RMS Service Connection Point
You register the SCP for AD RMS by following these steps:
on to a server in the AD RMS cluster with an Active Directory account
that is a member of the local AD RMS Enterprise Administrators group on
the server and a member of the Enterprise Administrators group in
Start the Active Directory Rights Management Services management console from Administrative Tools.
the Active Directory Rights Management Services management console,
right-click the AD RMS cluster in the left-hand pane and select
Properties. Click the SCP tab in the properties dialog box, as shown in
and then select the Change SCP check box. Click OK to register the SCP
and click Yes in the confirmation dialog box to apply the changes and
exit the Properties dialog box.
Figure 8. Registering the AD RMS SCP
5.2. Configuring the AD RMS Server Certification Pipeline
Configure the server certification pipeline in AD RMS for Exchange Server 2010 integration by following these steps:
Log on to a server in the AD RMS cluster with an Active Directory account with local administrative privileges.
Start, and then click Computer to open Windows Explorer. Navigate to
ServerCertification.asmx, and select Properties to open the Properties
the ServerCertification.asmx Properties dialog box, click the Security
tab and then click Advanced. Click Continue on the Permissions tab of
the Advanced Security Settings For ServerCertification.asmx dialog box.
the Advanced Security Settings For ServerCertification.asmx dialog box,
select the Include Inheritable Permissions From This Object's Parent
check box, as shown in Figure 9, and then click OK twice to apply the change and return to the ServerCertification.asmx Properties dialog box.
Figure 9. Setting inheritable permissions on ServerCertification.asmx
on the Security tab of the ServerCertification.asmx Properties dialog
box, select Continue to open the Permissions for
ServerCertification.asmx dialog box as shown in Figure 10.
Figure 10. Granting the Exchange Servers Group Access to ServerCertification.asmx
the Permissions for ServerCertification.asmx dialog box, click Add and
then add the Exchange Server group from Active Directory, granting this
group Read and Read & Execute permissions to the file. Apply the
changes, and then close all dialog boxes to return to Windows Explorer.
Repeat Steps 1 through 6 on all other servers in the AD RMS cluster.