Hosting an AD RMS Licensing-Only Cluster in a Perimeter Network, with Directory Services Hosted in an Internal Network

Applies To: Windows Server 2008, Windows Server 2008 R2

You can choose to deploy a licensing-only cluster in the perimeter network instead of the certification cluster. In this case, services that can be performed only by the certification cluster will not be available from the Internet. This is both an advantage (from a security point of view) and a disadvantage (from a functionality point of view).

The following diagram depicts the physical topology, showing the Active Directory Rights Management Services (AD RMS) licensing-only servers (and their associated database servers) in the perimeter network. The certification cluster and its associated database server are in the internal network.

The communication requirements between the perimeter network and both the internal and external networks are the same as for Hosting AD RMS Servers in a Perimeter Network, with Directory Services Hosted in an Internal Network, with the additional requirement that port 80 and port 443 are open between the licensing cluster and the certification cluster.

This solution offers the same advantages as Hosting AD RMS Servers in a Perimeter Network, with Directory Services Hosted in an Internal Network, with the following additional advantages:

  • It helps protect the AD RMS licensing servers from malicious users, both internal and external, by allowing access to those servers only through ports 80 and 443, with no external access to the certification cluster.

  • It allows for simple filtering rules on the external firewall, which is typically the most critical.

  • Internet users cannot obtain rights account certificates (RACs), reducing the risk of unauthorized users accessing content through spoofing or impersonation techniques. Enrollment of additional unauthorized licensing clusters from the Internet is also prevented because this can be performed only from the AD RMS certification cluster, which is located on the internal network and protected behind the second firewall.

However, at the same time, this architecture has some disadvantages:

  • The AD RMS licensing servers are potentially exposed on port 80/tcp and 443/tcp because some firewalls do not perform application-layer inspection.

  • The connection to the intranet requires many open ports. These include dynamic port ranges to support Active Directory domain membership by the servers, which can make it more difficult to secure and manage and can consume many firewall resources.

  • If an AD RMS server in the perimeter network is compromised, the risk of internal network compromise is increased because critical ports are open.

  • Client activation is not available from the Internet because RACs can be issued only by the AD RMS certification cluster. As a result, all clients have to connect to the internal network, either directly or via a remote access connection, at least once, to be activated (though this can be done when the client is installed or through a VPN). For this reason, this solution does not support identity federation or federation through Microsoft Federation Gateway.

  • The external cluster must issue all licenses (both for publishing and consumption) because only servers in the cluster that issued a publishing license for a file can issue end-user licenses to access that file. If internal clusters, such as the certification cluster, are also used for issuing publishing licenses, those files cannot be licensed through the Internet.

While this configuration offers good flexibility and some security advantages, it is not very common because managing additional clusters requires extra effort. Additionally, the security risk introduced by the internal firewall configuration requirements (to allow Active Directory membership traffic from the AD RMS servers to the internal network) is still present.