• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Looking for good AD RMS setup guides.

I currently running AD RMS on a 2008 R2 server intranet and looking to expand it for external access. I started to go over the TechNet articles listed in the search below. Any good suggestions?
ad rms extranet
0
yo_bee
Asked:
yo_bee
1 Solution
 
btanExec ConsultantCommented:
in the external context , suggest to consider these for external users when you provide Active Directory accounts for them:
You can deploy separate AD RMS infrastructures for internal and external users and create a trusted user domain relationship between them.

You can create a single Active Directory forest and AD RMS infrastructure that is available on the Internet and to users in your intranet.

You can create an AD RMS infrastructure in separate forest and use AD FS to federate the intranet- and extranet-facing forests.
https://technet.microsoft.com/en-us/library/hh311038(v=ws.10).aspx

The key aspects is actually for external organizations (or users) to have the ability to access the AD RMS infrastructure from outside your organization’s network, that is, as I see largely from the Internet (and there may be other dedicated isolated segment but still considered "foreign" per se). May be good to delve further into possible architectures recommended
Host all of the AD RMS servers (root and licensing-only servers) in a perimeter network and configure them to access the directory services servers, which are hosted in the core network.

Host an AD RMS licensing-only cluster in a perimeter network and configure it to access the directory services servers and the AD RMS root server, which are hosted in the core network.

Host AD RMS servers, together with domain controllers to service them, in a perimeter network.

Host all of the AD RMS servers in the core network and publish them to the Internet through a reverse proxy, by using a product such as Internet Security and Acceleration (ISA) Server.
https://technet.microsoft.com/en-us/library/hh311037(v=ws.10).aspx

Another aspect since in common RMS use case, mostly each user’s email address will be the primary means for identification. Hence, it helps to enforce the necessary access to protected content restricted to certain or all users within the same email domain.

There are also sharing on alternative option whereby the user can use a Windows Live ID (WLID) email address to access protected content. This then open another exploration into having to set up a trust with Windows Live ID to allow an AD RMS services user to send rights-protected content to a user with a Windows Live ID and they are able to still consume the protected content.

These are the so called "complex scenarios" (https://technet.microsoft.com/en-us/library/dd996659(v=ws.10).aspx) that you can look at in later stage too after reviewing the infra req as earlier shared in a/m points.

Overall, there is use case in the lights of this as well for you add on info
Perhaps your organization plans to share protected information in a more casual manner, and you would like to avoid any type of prolonged trust.  This scenario is common in a business to consumer relationship or when you simply want to share a single document with a partner.  You can configure your AD RMS cluster to trust the Windows Live ID service and then partner users can open protected content using WLID credentials.  While partner users will be able to open protected content, they are unable to create protected content that your users will be able to consume.  Furthermore, these users will not be able to open protected content on their Windows Mobile device or access your documents in a protected SharePoint library.  Finally, protection must be applied on an individual basis; WLID accounts cannot be added to an Active Directory group.
http://blogs.technet.com/b/rms/archive/2012/04/29/sharing-protected-documents-when-partners-do-not-have-an-ad-rms-installation.aspx
0
 
yo_beeDirector of Information TechnologyAuthor Commented:
thank you for putting in the effort and time to search, compose and post the reply.  
I think the last link is what I need.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now