In Part 1 we walked through installing the RMS Connector services to light-up on-premises services for RMS.

In Part 2 we walked through setting up the RMS Connector for Exchange 2010/2013

The RMS connector supports a handful of additional scenarios and services:

  • For Exchange 2013: Client access servers and mailbox servers
  • For Exchange 2010: Client access servers and hub transport servers
  • For SharePoint: Front-end SharePoint webservers, including those hosting the Central Administration server
  • For File Classification Infrastructure: Windows Server computers that have installed File Resource Manager

This configuration requires registry settings. To do this, you have two options:

Configuration option Advantages Disadvantages
Automatically by using the server configuration tool for Microsoft RMS connector No direct editing of the registry. This is automated for you by using a script.

No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

When you run the tool, you must make a connection to a server that is already running the RMS connector.
Manually by editing the registry No connectivity to a server running the RMS connector is required. More administrative overheads that are error-prone.

You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

You must always make all the prerequisites checks yourself.

NOTE: In both cases you’ll need to manually install pre-requisites

I’d definitely recommend the automation option versus the manual option here.

First, go ahead and grab the PowerShell script you downloaded earlier, or grab it directly from here

You can either deploy the script through a local install, Configuration Manager or Group Policy.

Server 2012/2012R2 with File Server Classification Infrastructure

In order to configure RMS for Exchange, you’ll need to install it on the respective Exchange server roles:

  • For File Classification Infrastructure: Windows Server computers that have installed File Resource Manager

We’ve already gone ahead and added our FCI server to the RMS connector like we did in Part 1 for the Exchange server

You can run the following command, inserting the name of your RMS server in place below

.\GenConnectorConfig.ps1 -ConnectorUri -SetFCI2012

After running the tool, restart the File Server Resource Manager services, which refreshes the RMS templates on the server.

Now time to create classification rules and file management tasks to protect documents with RMS Encryption, and then specify an RMS template to automatically apply RMS policies. You can setup policies to protect documents based on various scenarios:

  • Confidential data, manually tagged
  • Confidential data, Exec file share blocking all users from opening, no matter where it gets moved
  • Apply rights based on dept/group
  • Apply rights based on file name with project ID, customer ID or customer name

Let’s assume we haven’t touched FCI yet. The way RMS works, is by linking to an existing condition, such as a classification property.

In this case, we’ll create a simple rule that RMS protects any content that has been tagged as Confidential, with the Azure RMS policy Confidential – View Only.

Let’s first create a Local Property, start by launching File Server Resource Manager

You can see that we can create various property types, in this case we’ll choose a simple Yes/No

We’ll then create a Classification Rule to publish the classification to the folder

We can choose the data type and folders included in the scope

And choose how we want to classify the data and the property we’ve created

Then define the evaluation type, if applicable

Finally, we’ll create a File Management Task to link everything together

Define the scope

Choose RMS from the drop down and choose the relevant RMS policy

Choose the condition to look for in order to apply the RMS policy

And define the schedule

Let’s test it out!

We’ll start with a non-RMS protected document

Let’s copy a file to the share

Let’s apply the Confidential policy manually (you can also automate this based on various attributes, location, etc) to the document

Now let’s go ahead and open up the document, and you can see it’s RMS protected with the policy we defined!

Leave a Reply

Your email address will not be published. Required fields are marked *