Microsoft Federation Gateway Support Overview

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to use.

The Microsoft Federation Gateway provides applications with a simple, standards-based method of establishing trust between separate organizations that uses SSL certificates to prove domain ownership. Because the organizations federate with the gateway instead of with each other, it is much easier for an organization to establish trust relationships with multiple partners than is possible when it uses conventional one-on-one federation or other trust relationships. The scope of Active Directory Rights Management Services (AD RMS) federation can be easily controlled by creating allow or deny lists of users and domains for licensing and by specifying the domains that can receive publishing licenses. This guarantees that only appropriate organizations are given access to protected information.

Microsoft Federation Gateway Support in Windows Server® 2008 R2 Service Pack 1 (SP1) enables AD RMS to federate with the Microsoft Federation Gateway to authenticate users for certification and licensing. For example, Microsoft Exchange Server 2010 SP1 is designed to take advantage of this capability by enabling messages protected by AD RMS to be sent between organizations that do not share an Active Directory Domain Services (AD DS) infrastructure. When the Exchange Server 2010 SP1 infrastructure is configured to take advantage of these features, users can send AD RMS–protected e-mail messages to recipients outside the sender’s organization, and those recipients can then view the messages by using Exchange Server 2010 Outlook Web App. Also, senders can grant permission to recipient organizations that use Exchange Server 2010 SP1 permission to decrypt content for such purposes as journaling and malware scanning.

For more information about the Microsoft Federation Gateway, see Microsoft Federation Gateway ( on MSDN. For more information about how to deploy Microsoft Federation Gateway Support on AD RMS, see Deploying and Configuring Microsoft Federation Gateway Support.