Planning for External RMS Users

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This section describes topologies that you can implement to allow your organization and external users to share RMS-protected content over the Internet.

You can deploy RMS clusters for both internal and external use by using one of the following options:

  • Set the root cluster URL to a URL that can be accessed over the Internet. Ensure that this URL is resolved in the intranet to RMS servers for the same cluster. When you do this, the publishing license URL that end-user computers use for license acquisition works both in the intranet and on the Internet.

  • Set up a license server dedicated to extranet users and configure the extranet cluster URL appropriately.

Allowing External Users

You can include external users in your RMS installation if you create internal accounts for those users and allow the users to gain access to your corporate network through a virtual private network (VPN). The account can have an internal mailbox or an e-mail address that points to an external mailbox.

If you use an internal mailbox, internal authors must specify the e-mail address that is associated with that internal mailbox when they publish RMS-protected content. If you use an external mailbox, internal authors must take care to specify the account’s external e-mail address when they publish RMS-protected content.

To provide network security while still supporting network access by external users, you can create a separate Active Directory forest for partner accounts. With this topology, you can provision a separate root cluster for the Internet-facing portion of the RMS system. This allows external users to receive their RMS machine certificate and rights account certificate from this Internet-facing root cluster the first time that they gain access to RMS-protected content.

If you decide to implement a separate forest for external partners that will contain the partner accounts, RMS must be installed in that forest. You can then use the trusted publishing domain feature of RMS to establish trust between the two RMS clusters. The extranet cluster URL must be a DNS record that is accessible from the Internet. Creating this trust relationship would allow the external RMS server to issue use licenses for all content issued by the internal RMS system and vice versa.

As an alternative to setting up an RMS cluster in the external forest, you could use a server such as Microsoft ISA server to filter inbound traffic and reverse proxy RMS license requests to the internal RMS cluster.

Using External Certificates

You can allow external users to gain access to RMS-protected content if you set up a separate RMS server as a licensing server that is accessible to the Internet, publish the content from that licensing server, and then specify trust relationships on that server.

The Internet-facing portion of the RMS deployment is a separate licensing server dedicated to external RMS users. This server is part of the same cluster as the internal licensing cluster and it uses the same database and cluster URL, but it is the only server in that cluster that can accept incoming Internet traffic.

When external users request a use license from this RMS licensing server they will be using a Rights Account Certificate from another RMS certification service that this licensing server must trust.

Trusting Windows Live ID–based Rights Account Certificates

Your organization can choose to trust rights account certificates that are based on Windows Live ID credentials. These account certificates require users to obtain rights account certificates directly from the Microsoft Certification Service hosted on the internet.

In this model, external users receive RMS machine certificates and rights account certificates from Microsoft. When the content is published, the external user’s Windows Live ID account must be named as a recipient in the publishing license.

The Windows Live ID account must match the Windows Live ID account that was used when the user downloaded the rights account certificate from Microsoft. The author must specify this account when adding recipients in the RMS-enabled application. If the accounts do not match, the content cannot be consumed.

Trusting Other External Certificates

If the external user’s company also has a RMS deployment, you can choose to set up a trust relationship with that company. To do this, request that the company export their RMS server licensor certificate and send it to you. You can then import the certificate by using the RMS administration console for your licensing server that is accessible to the Internet.