为 Azure Rights Management 连接器配置服务器Configuring servers for the Azure Rights Management connector

适用于: Azure 信息保护、windows server 2016、windows Server 2012 R2、windows server 2012Applies to: Azure Information Protection, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

使用以下信息可帮助你配置将使用 Azure Rights Management (RMS) 连接器的本地服务器。Use the following information to help you configure your on-premises servers that will use the Azure Rights Management (RMS) connector. 这些过程涉及部署 Azure Rights Management 连接器中的步骤 5。These procedures cover step 5 from Deploying the Azure Rights Management connector.

在开始之前,请确保已安装并配置 RMS 连接器,并且已检查任何适用于将使用该连接器的服务器的先决条件Before you begin, make sure that you have installed and configured the RMS connector and you have checked any prerequisites that are applicable for the servers that will use the connector.

将服务器配置为使用 RMS 连接器Configuring servers to use the RMS connector

安装并配置 RMS 连接器之后,即可配置将要连接到 Azure Rights Management 服务的本地服务器,并通过连接器使用此保护技术。After you have installed and configured the RMS connector, you are ready to configure your on-premises servers that will connect to the Azure Rights Management service and use this protection technology by using the connector. 这意味着需要配置以下服务器:This means configuring the following servers:

  • 对于 Exchange 2016 和 Exchange 2013:客户端访问服务器和邮箱服务器For Exchange 2016 and Exchange 2013: Client access servers and mailbox servers

  • 对于 Exchange 2010:客户端访问服务器和中心传输服务器For Exchange 2010: Client access servers and hub transport servers

  • 对于 SharePoint:前端 SharePoint Web 服务器,包括托管中心管理服务器的 Web 服务器For SharePoint: Front-end SharePoint webservers, including those hosting the Central Administration server

  • 对于文件分类基础结构:装有文件资源管理器的 Windows Server 计算机For File Classification Infrastructure: Windows Server computers that have installed File Resource Manager

这种配置需要注册表设置。This configuration requires registry settings. 要执行此操作,你有两个选项:使用适用于 Microsoft RMS 连接器的服务器配置工具自动配置,或通过编辑注册表手动配置。To do this, you have two options: Automatically by using the server configuration tool for Microsoft RMS connector, or manually by editing the registry.


使用适用于 Microsoft RMS 连接器的服务器配置工具自动配置:Automatically by using the server configuration tool for Microsoft RMS connector:

  • 优点:Advantages:

    • 不直接编辑注册表。No direct editing of the registry. 可以使用脚本进行自动编辑。This is automated for you by using a script.

    • 无需运行 Windows PowerShell cmdlet 来获取你的 Microsoft RMS URL。No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

    • 如果你本地运行工具,则自动为你检查必备组件(但不自动进行补救)。The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

缺点:Disadvantages:

  • 当你运行工具时,必须连接到已在运行 RMS 连接器的服务器。When you run the tool, you must make a connection to a server that is already running the RMS connector.

通过编辑注册表进行手动配置Manually by editing the registry:

  • 优点:Advantages:

    • 不需要连接到运行 RMS 连接器的服务器。No connectivity to a server running the RMS connector is required.
  • 缺点:Disadvantages:

    • 更多管理开销,容易发生错误。More administrative overheads that are error-prone.

    • 你必须获取 Microsoft RMS URL,这需要你运行 Windows PowerShell 命令。You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

    • 你必须始终自行进行所有必备组件检查。You must always make all the prerequisites checks yourself.


重要

对于这两种情况,都必须手动安装所有必备组件,并将 Exchange、SharePoint 和文件分类基础结构配置为使用权限管理。In both cases, you must manually install any prerequisites and configure Exchange, SharePoint, and File Classification Infrastructure to use Rights Management.

对于大多数组织,使用适用于 Microsoft RMS 连接器的服务器配置工具进行自动配置是更好的选择,因为它提供优于手动配置的效率和可靠性。For most organizations, automatic configuration by using the server configuration tool for Microsoft RMS connector will be the better option, because it provides greater efficiency and reliability than manual configuration.

在这些服务器上进行配置更改之后,如果这些服务器正在运行 Exchange 或 SharePoint 并且以前配置为使用 AD RMS,则你必须重新启动它们。After making the configuration changes on these servers, you must restart them if they are running Exchange or SharePoint and previously configured to use AD RMS. 在首次将它们配置为使用权限管理时,无需重新启动它们。There is no need to restart these servers if you are configuring them for Rights Management for the first time. 进行这些配置更改后,始终必须重新启动配置为使用文件分类基础结构的文件服务器。You must always restart the file server that is configured to use File Classification Infrastructure after you make these configuration changes.

如何使用适用于 Microsoft RMS 连接器的服务器配置工具How to use the server configuration tool for Microsoft RMS connector

  1. 如果尚未下载适用于 Microsoft RMS 连接器的服务器配置工具的脚本(Genconnectorconfig.ps1),请从Microsoft 下载中心下载该脚本。If you haven't already downloaded the script for the server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1), download it from the Microsoft Download Center.

  2. 将 GenConnectorConfig.ps1 文件保存在你要运行工具的计算机上。Save the GenConnectorConfig.ps1 file on the computer where you will run the tool. 如果要在本地运行该工具,则此计算机必须是你想要配置为与 RMS 连接器通信的服务器。If you will run the tool locally, this must be the server that you want to configure to communicate with the RMS connector. 否则,你可将文件保存在任何计算机上。Otherwise, you can save it on any computer.

  3. 确定如何运行工具:Decide how to run the tool:

    • 本地:可以从要将配置为与 RMS 连接器通信的服务器以交互方式运行该工具。Locally: You can run the tool interactively, from the server to be configured to communicate with the RMS connector. 这对于一次性配置(例如测试环境)非常有用。This is useful for a one-off configuration, such as a testing environment.

    • 软件部署:你可以运行工具以生成注册表文件,然后使用支持软件部署的系统管理应用程序(例如 System Center Configuration Manager),将这些注册表文件部署到一个或多个相关服务器。Software deployment: You can run the tool to produce registry files that you then deploy to one or more relevant servers by using a systems management application that supports software deployment, such as System Center Configuration Manager.

    • 组策略设置:你可以运行工具以生成脚本,然后将脚本提供给管理员,管理员可为要配置的服务器创建组策略对象。Group Policy: You can run the tool to produce a script that you give to an administrator who can create Group Policy objects for the servers to be configured. 此脚本为要配置的每个服务器类型创建一个组策略对象,然后管理员能够将此对象分配给相关服务器。This script creates one Group Policy object for each server type to be configured, which the administrator can then assign to the relevant servers.

    备注

    此工具可以配置将与 RMS 连接器通信并已在本部分开头列出的服务器。This tool configures the servers that will communicate with the RMS connector and that are listed at the beginning of this section. 不要在运行 RMS 连接器的服务器上运行此工具。Do not run this tool on the servers that run the RMS connector.

  4. 使用“以管理员身份运行”选项启动 Windows PowerShell,然后使用 Get-help 命令阅读有关如何将工具用于你选择的配置方法的说明:Start Windows PowerShell with the Run as an administrator option, and use the Get-help command to read instructions how to the use the tool for your chosen configuration method:

    Get-help .\GenConnectorConfig.ps1 -detailed
    

若要运行脚本,你必须输入组织的 RMS 连接器的 URL。To run the script, you must enter the URL of the RMS connector for your organization. 输入协议前缀(HTTP:// 或 HTTPS://),以及你在 DNS 中为连接器的负载平衡地址定义的连接器名称,Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. 例如,https://connector.contoso.com。For example, https://connector.contoso.com. 然后,此工具会使用该 URL 来联系运行 RMS 连接器的服务器,并获取用于创建所需配置的其他参数。The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.

重要

当你运行此工具时,请确保指定组织的负载平衡 RMS 连接器的名称,而不要指定运行 RMS 连接器服务的单个服务器的名称。When you run this tool, make sure that you specify the name of the load-balanced RMS connector for your organization and not the name of a single server that runs the RMS connector service.

使用以下部分获取每个服务类型的特定信息:Use the following sections for specific information for each service type:

备注

在将这些服务器配置为使用连接器之后,本地安装在这些服务器上的客户端应用程序可能无法使用 RMS。After these servers are configured to use the connector, client applications that are installed locally on these servers might not work with RMS. 发生这种情况的原因是应用程序试图使用连接器而不是直接使用 RMS,但这种方式不受支持。When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported.

此外,如果在 Exchange 服务器上本地安装 Office 2010,则在将服务器配置为使用连接器之后,客户端应用的 IRM 功能可能从该计算机运行,但这不受支持。In addition, if Office 2010 is installed locally on an Exchange server, the client app's IRM features might work from that computer after the server is configured to use the connector, but this is not supported.

在上述两种情况下,你必须在没有配置为使用连接器的单独计算机上安装客户端应用程序。In both scenarios, you must install the client applications on separate computers that are not configured to use the connector. 然后它们即可正确地直接使用 RMS。They will then correctly use RMS directly.

将 Exchange 服务器配置为使用连接器Configuring an Exchange server to use the connector

以下 Exchange 角色将与 RMS 连接器通信:The following Exchange roles communicate with the RMS connector:

  • 对于 Exchange 2016 和 Exchange 2013:客户端访问服务器和邮箱服务器For Exchange 2016 and Exchange 2013: Client access server and mailbox server

  • 对于 Exchange 2010:客户端访问服务器和中心传输服务器For Exchange 2010: Client access server and hub transport server

若要使用 RMS 连接器,这些运行 Exchange 的服务器必须运行以下软件版本之一:To use the RMS connector, these servers running Exchange must be running one of the following software versions:

  • Exchange Server 2016Exchange Server 2016

  • Exchange Server 2013,附带 Exchange 2013 累积更新 3Exchange Server 2013 with Exchange 2013 Cumulative Update 3

  • Exchange Server 2010,附带 Exchange 2010 Service Pack 3 汇总更新 6Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6

你还需要在服务器上安装能够支持 RMS 加密模式 2 的 RMS 客户端版本 1,也称为 MSDRM。You will also need on these servers, a version 1 of the RMS client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. 所有 Windows 操作系统都包括 MSDRM 客户端,但早期版本的客户端不支持加密模式 2。All Windows operating systems include the MSDRM client but early versions of the client did not support Cryptographic Mode 2. 如果 Exchange 服务器至少运行 Windows Server 2012,则无需进一步的操作,因为使用这些操作系统安装的 RMS 客户端可本机支持加密模式 2。If your Exchange servers are running at least Windows Server 2012, no further action is required because the RMS client installed with these operating systems natively supports Cryptographic Mode 2.

重要

如果没有安装这些版本或更高版本的 Exchange 和 MSDRM 客户端,就无法将 Exchange 配置为使用连接器。If these versions or later versions of Exchange and the MSDRM client are not installed, you will not be able to configure Exchange to use the connector. 继续之前,请确认已安装这些版本。Check that these versions are installed before you continue.

将 Exchange 服务器配置为使用连接器To configure Exchange servers to use the connector

  1. 通过使用 RMS 连接器管理工具和授权服务器使用 RMS 连接器部分的信息,确保 Exchange 服务器有权使用 RMS 连接器。Make sure that the Exchange servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section. 需要此配置,以便 Exchange 可以使用 RMS 连接器。This configuration is required so that Exchange can use the RMS connector.

  2. 在与 RMS 连接器通信的 Exchange 服务器角色上执行以下任一操作:On the Exchange server roles that communicate with the RMS connector, do one of the following:

  3. 使用 Exchange PowerShell cmdlet set-irmconfiguration ,并设置 InternalLicensingEnabled $trueClientAccessServerEnabled $true,为 EXCHANGE 启用 IRM 功能。Enable IRM functionality for Exchange by using the Exchange PowerShell cmdlet Set-IRMConfiguration and set InternalLicensingEnabled $true and ClientAccessServerEnabled $true.

将 SharePoint 服务器配置为使用连接器Configuring a SharePoint server to use the connector

以下 SharePoint 角色将与 RMS 连接器通信:The following SharePoint roles communicate with the RMS connector:

  • 前端 SharePoint Web 服务器,包括托管中心管理服务器的 Web 服务器Front-end SharePoint webservers, including those hosting the Central Administration server

若要使用 RMS 连接器,这些运行 SharePoint 的服务器必须运行以下软件版本之一:To use the RMS connector, these servers running SharePoint must be running one of the following software versions:

  • SharePoint Server 2019SharePoint Server 2019

  • SharePoint Server 2016SharePoint Server 2016

  • SharePoint Server 2013SharePoint Server 2013

  • SharePoint Server 2010SharePoint Server 2010

运行 SharePoint 2019、2016或 SharePoint 2013 的服务器还必须运行 RMS 连接器支持的 MSIPC 客户端2.1 版本。A server running SharePoint 2019, 2016 or SharePoint 2013 must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector. 若要确保使用受支持的版本,请从 Microsoft 下载中心下载最新的客户端。To make sure that you have a supported version, download the latest client from the Microsoft Download Center.

警告

MSIPC 2.1 客户端有多个版本,因此请确保安装版本 1.0.2004.0 或更高版本。There are multiple versions of the MSIPC 2.1 client, so make sure that you have version 1.0.2004.0 or later.

你可以通过检查 MSIPC.dll 的版本号来验证客户端版本,该文件位于 \Program Files\Active Directory Rights Management Services Client 2.1You can verify the client version by checking the version number of MSIPC.dll, which is located in \Program Files\Active Directory Rights Management Services Client 2.1. 属性对话框将显示 MSIPC 2.1 客户端的版本号。The properties dialog box shows the version number of the MSIPC 2.1 client.

运行 SharePoint 2010 的服务器必须安装了能够支持 RMS 加密模式 2 的 MSDRM 客户端版本。Servers running SharePoint 2010 must have installed a version of the MSDRM client that includes support for RMS Cryptographic Mode 2. Windows Server 2012 和 Windows Server 2012 R2 以本机方式支持加密模式 2。Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

将 SharePoint 服务器配置为使用连接器To configure SharePoint servers to use the connector

  1. 通过使用 RMS 连接器管理工具和授权服务器使用 RMS 连接器部分的信息,确保 SharePoint 服务器有权使用 RMS 连接器。Make sure that the SharePoint servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section. 需要此配置,以便 SharePoint 客户端可使用 RMS 连接器。This configuration is required so that your SharePoint servers can use the RMS connector.

  2. 在与 RMS 连接器通信的 SharePoint 服务器上执行以下任一操作:On the SharePoint servers that communicate with the RMS connector, do one of the following:

    • 运行适用于 Microsoft RMS 连接器的服务器配置工具。Run the server configuration tool for Microsoft RMS connector. 有关详细信息,请参阅如何使用适用于 Microsoft RMS 连接器的服务器配置工具For more information, see How to use the server configuration tool for Microsoft RMS connector in this article.

      例如,若要在本地运行该工具以配置运行 SharePoint 2019、2016或 SharePoint 2013 的服务器,请执行以下操作:For example, to run the tool locally to configure a server running SharePoint 2019, 2016 or SharePoint 2013:

      .\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013
      
    • 如果你使用的是 SharePoint 2019、2016或 SharePoint 2013,请使用RMS 连接器的注册表设置中的信息,在服务器上手动添加注册表设置,进行手动注册表编辑。If you are using SharePoint 2019, 2016 or SharePoint 2013, make manual registry edits by using the information in Registry settings for the RMS connector to manually add registry settings on the servers.

  3. 在 SharePoint 中启用 IRM。Enable IRM in SharePoint. 有关详细信息,请参阅 SharePoint 库中的配置信息权限管理 (SharePoint Server 2010)For more information, see Configure Information Rights Management (SharePoint Server 2010) in the SharePoint library.

    当你按照这些说明操作时,必须通过指定“使用此 RMS 服务器”,将 SharePoint 配置为使用连接器,然后输入你配置的负载平衡连接器 URL。When you follow these instructions, you must configure SharePoint to use the connector by specifying Use this RMS server, and then enter the load-balancing connector URL that you configured. 输入协议前缀(HTTP:// 或 HTTPS://),以及你在 DNS 中为连接器的负载平衡地址定义的连接器名称,Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. 例如,如果连接器名称为 https://connector.contoso.com,则配置将如下图所示:For example, if your connector name is https://connector.contoso.com, your configuration will look like the following picture:

    为 RMS 连接器配置 SharePoint Server

    在 SharePoint 场上启用 IRM 之后,你可以使用每个库的 “库设置” 页上的 “信息权限管理” 选项,在各个库上启用 IRM。After IRM is enabled on a SharePoint farm, you can enable IRM on individual libraries by using the Information Rights Management option on the Library Settings page for each of the libraries.

将文件分类基础结构的文件服务器配置为使用连接器Configuring a file server for File Classification Infrastructure to use the connector

若要使用 RMS 连接器和文件分类基础结构来保护 Office 文档,文件服务器必须运行以下操作系统之一:To use the RMS connector and File Classification Infrastructure to protect Office documents, the file server must be running one of the following operating systems:

  • Windows Server 2016Windows Server 2016

  • Windows Server 2012 R2Windows Server 2012 R2

  • Windows Server 2012Windows Server 2012

将文件服务器配置为使用连接器To configure file servers to use the connector

  1. 通过使用 RMS 连接器管理工具和授权服务器使用 RMS 连接器部分的信息,确保文件服务器有权使用 RMS 连接器。Make sure that the file servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section. 需要此配置,以便文件客户端可使用 RMS 连接器。This configuration is required so that your file servers can use the RMS connector.

  2. 在为文件分类基础结构配置的、将与 RMS 连接器通信的文件服务器上执行以下任一操作:On the file servers configured for File Classification Infrastructure and that will communicate with the RMS connector, do one of the following:

  3. 创建分类规则和文件管理任务,才能使用 RMS 加密保护文档,然后指定一个用于自动将 RMS 策略的应用的 RMS 模板。Create classification rules and file management tasks to protect documents with RMS Encryption, and then specify an RMS template to automatically apply RMS policies. 有关详细信息,请参阅 Windows Server 文档库中的 文件服务器资源管理器概述For more information, see File Server Resource Manager Overview in the Windows Server documentation library.

后续步骤Next steps

由于已安装并配置 RMS 连接器,并且服务器已配置为使用该连接器,IT 管理员和用户可以使用 Azure Rights Management Services 保护和使用电子邮件与文档。Now that the RMS connector is installed and configured, and your servers are configured to use it, IT administrators and users can protect and consume email messages and documents by using the Azure Rights Management service. 若要让用户轻松使用此功能,请部署 Azure 信息保护客户端,它会安装 Office 的外接程序并在文件资源管理器中添加新的右键单击选项。To make this easy for users, deploy the Azure Information Protection client, which installs an add-on for Office and adds new right-click options to File Explorer. 有关详细信息,请参阅 Azure 信息保护客户端管理员指南For more information, see the Azure Information Protection client administrator guide.

请注意,若要配置用于 Exchange 传输规则或 Windows Server FCI 的部门模板,范围配置必须包含应用程序兼容性选项,以选中“如果应用程序不支持用户标识,则向所有用户显示此模板”复选框。Note that if you configure departmental templates that you want to use with Exchange transport rules or Windows Server FCI, the scope configuration must include the application compatibility option such that the Show this template to all users when the applications do not support user identity check box is selected.

可以使用 Azure 信息保护部署路线图,检查向用户和管理员推出 Azure Rights Management 之前是否还需要执行其他配置步骤。You can use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might want to do before you roll out Azure Rights Management to users and administrators.

若要监视 RMS 连接器,请参阅监视 Azure Rights Management 连接器To monitor the RMS connector, see Monitor the Azure Rights Management connector.