Azure RMS Connector – Part 2 Exchange 2010/2013 Configuration
In Part 1 we walked through installing the RMS Connector services to light-up on-premises services for RMS.
The RMS connector supports a handful of additional scenarios and services:
- For Exchange 2013: Client access servers and mailbox servers
- For Exchange 2010: Client access servers and hub transport servers
- For SharePoint: Front-end SharePoint webservers, including those hosting the Central Administration server
- For File Classification Infrastructure: Windows Server computers that have installed File Resource Manager
This configuration requires registry settings. To do this, you have two options:
Configuration option | Advantages | Disadvantages |
Automatically by using the server configuration tool for Microsoft RMS connector | No direct editing of the registry. This is automated for you by using a script.
No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL. The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally. |
When you run the tool, you must make a connection to a server that is already running the RMS connector. |
Manually by editing the registry | No connectivity to a server running the RMS connector is required. | More administrative overheads that are error-prone.
You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command. You must always make all the prerequisites checks yourself. |
NOTE: In both cases you’ll need to manually install pre-requisites
I’d definitely recommend the automation option versus the manual option here.
First, go ahead and grab the PowerShell script you downloaded earlier, or grab it directly from here
You can either deploy the script through a local install, Configuration Manager or Group Policy.
Exchange 2010/2013
In order to configure RMS for Exchange, you’ll need to install it on the respective Exchange server roles:
- For Exchange 2013: Client access servers and mailbox servers
- For Exchange 2010: Client access servers and hub transport servers
You can run the following command, inserting the name of your RMS server in place below
.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013
Now lets go ahead and enable IRM functionality in Exchange.
The first thing we’ll need to do is enable IRM
Set-IRMConfiguration -InternalLicensingEnabled $true
Let’s log into the ECP to create a transport rule.
Navigate to Mail Flow > Rules and choose Apply rights protection to messages…
It should be noted that you can really customize these transport rules to your liking, a few example scenarios may be protecting any content
- Sent to a specific domain
- Sent to Exchange Partner domains
- Sent to HR or Legal from being forwarded
- Sent to All Employees from Reply All
- Sender is part of a specific group
- Subject or body have specific words or text patterns
- Message has sensitive content
- Attachment content has specific words or text patterns
We’re going to go ahead and create rule that applies an RMS policy to block forwarding for any of the recipients of the netrixllc.com domain
Select your RMS template
And modify the rest of the rule as needed
You’ll get prompted if you choose a date to apply before the current time
You should now see your transport rule
Now we’ll go ahead and send an e-mail to that domain
And you can see on the recipient side, we’ve received a message that has been protected with RMS.
I had to take a picture because the content is protected from Forward (grayed out), Copy, Print, Screen capture or Save. 🙂
See my follow-up blog for further Connector configuration for SharePoint & File Servers!