安装和配置 Azure Rights Management 连接器Installing and configuring the Azure Rights Management connector

适用于: Azure 信息保护、Windows Server 2019、2016、2012 R2 和 Windows server 2012Applies to: Azure Information Protection, Windows Server 2019, 2016, 2012 R2, and Windows Server 2012

可以参考以下信息来安装和配置 Azure Rights Management (RMS) 连接器。Use the following information to help you install and configure the Azure Rights Management (RMS) connector. 这些过程涉及到部署 Azure Rights Management 连接器中的步骤 1-4。These procedures cover steps 1 though 4 from Deploying the Azure Rights Management connector.

在开始之前,请确保已查看并检查此部署的先决条件Before you begin, make sure that you have reviewed and checked the prerequisites for this deployment.

请确保你已了解连接器的正确 Azure 主权云实例才能完成安装和配置:Make sure you are aware of the correct Azure sovereign cloud instance for your connector to be able to complete setup and configuration:

  • AzureCloud: Azure 的商业产品AzureCloud: Commercial offering of Azure
  • AzureChinaCloud:由世纪互联运营的 AzureAzureChinaCloud: Azure Operated by 21Vianet
  • AzureUSGovernment: Azure 政府 (GCC 高/DoD) AzureUSGovernment: Azure Government (GCC High/DoD)
  • AzureUSGovernment2: Azure 政府版2AzureUSGovernment2: Azure Government 2
  • AzureUSGovernment3: Azure 政府版3AzureUSGovernment3: Azure Government 3

安装 RMS 连接器Installing the RMS connector

  1. 确定 (两个) 的计算机运行 RMS 连接器。Identify the computers (minimum of two) to run the RMS connector. 这些计算机必须满足先决条件中列出的最低规格。These computers must meet the minimum specification listed in the prerequisites.

    备注

    安装单个 RMS 连接器 (包含多个服务器以实现高可用性) 每个租户 (Microsoft 365 租户或 Azure AD 租户) 。Install a single RMS connector (consisting of multiple servers for high availability) per tenant (Microsoft 365 tenant or Azure AD tenant). 与 Active Directory RMS 不同,无需在每个林中安装 RMS 连接器。Unlike Active Directory RMS, you do not have to install an RMS connector in each forest.

  2. Microsoft 下载中心下载 RMS 连接器的源文件。Download the source files for the RMS connector from the Microsoft Download Center.

    若要安装 RMS 连接器,请下载 RMSConnectorSetup.exe。To install the RMS connector, download RMSConnectorSetup.exe.

    此外:In addition:

    • 若要使用 RMS 连接器的服务器配置工具以自动执行本地服务器上的注册表设置的配置,另请下载 GenConnectorConfig.ps1。If you want to use the server configuration tool for the RMS connector, to automate the configuration of registry settings on your on-premises servers, also download GenConnectorConfig.ps1.
  3. 在要安装 RMS 连接器的计算机上,以管理员权限运行 RMSConnectorSetup.exeOn the computer on which you want to install the RMS connector, run RMSConnectorSetup.exe with administrator privileges.

  4. 在 Microsoft Rights Management 连接器设置的 "欢迎" 页上,选择 "在计算机上安装 Microsoft Rights Management 连接器",然后单击 " 下一步"。On the Welcome page of Microsoft Rights Management Connector Setup, select Install Microsoft Rights Management connector on the computer, and then click Next.

  5. 阅读并同意 RMS 连接器许可条款,然后单击 “下一步”Read and agree to the RMS connector license terms, and then click Next.

输入凭据Entering credentials

在配置 RMS 连接器之前,必须先选择与解决方案匹配的云环境。Before you can configure the RMS connector, you must first select the Cloud environment that matches your solution.

  • AzureCloud: Azure 的商业产品AzureCloud: Commercial offering of Azure
  • AzureChinaCloud:由世纪互联运营的 AzureAzureChinaCloud: Azure Operated by 21Vianet
  • AzureUSGovernment: Azure 政府 (GCC 高/DoD) AzureUSGovernment: Azure Government (GCC High/DoD)
  • AzureUSGovernment2: Azure 政府版2AzureUSGovernment2: Azure Government 2
  • AzureUSGovernment3: Azure 政府版3AzureUSGovernment3: Azure Government 3

选择正确的 Azure 环境以对新的 AAD RM 连接器进行身份验证

进行云环境选择后,请输入 用户名密码After making your Cloud environment selection, enter your Username and password. 请确保输入的凭据具有足够的权限来配置 RMS 连接器。Make sure you enter credentials for an account that has sufficient privileges to configure the RMS connector. 例如,你可以键入 admin@contoso.com ,然后指定此帐户的密码。For example, you might type admin@contoso.com and then specify the password for this account.

此外,如果实施了加入控制机制,请确保指定的帐户能够保护内容。In addition, if you have implemented onboarding controls, make sure that the account you specify is able to protect content. 例如,如果限制为只有“IT 部门”组可以保护内容,那么在此处指定的帐户必须是该组成员。For example, if you restricted the ability to protect content to the "IT department" group, the account that you specify here must be a member of that group. 如果不是,则会看到错误消息: 尝试发现管理服务和组织的位置失败。请确保为你的组织启用 Microsoft Rights Management 服务。If not, you see the error message: The attempt to discover the location of the administration service and organization failed. Make sure Microsoft Rights Management service is enabled for your organization.

可以使用具有以下某一种权限的帐户:You can use an account that has one of the following privileges:

  • 租户的全局管理员:作为 Microsoft 365 租户或 Azure AD 租户全局管理员的帐户。Global administrator for your tenant: An account that is a global administrator for your Microsoft 365 tenant or Azure AD tenant.

  • Azure Rights Management 全局管理员:Azure Active Directory 中已分配为 Azure RMS 全局管理员角色的帐户。Azure Rights Management global administrator: An account in Azure Active Directory that has been assigned the Azure RMS global administrator role.

  • Azure Rights Management 连接器管理员:Azure Active Directory 中已被授权为组织安装和管理 RMS 连接器的帐户。Azure Rights Management connector administrator: An account in Azure Active Directory that has been granted rights to install and administer the RMS connector for your organization.

    备注

    使用 AipServiceRoleBasedAdministrator Cmdlet 将 azure Rights Management 全局管理员角色和 azure Rights Management 连接器管理员角色分配给帐户。The Azure Rights Management global administrator role and Azure Rights Management connector administrator role are assigned to accounts by using the Add-AipServiceRoleBasedAdministrator cmdlet.

    若要使用最小特权运行 RMS 连接器,请为此创建一个专用帐户,然后通过执行以下操作为帐户分配 Azure RMS 连接器管理员角色:To run the RMS connector with least privileges, create a dedicated account for this purpose that you then assign the Azure RMS connector administrator role by doing the following:

    1. 下载并安装 AIPService PowerShell 模块(如果尚未这样做)。If you haven't already done so, download and install the AIPService PowerShell module. 有关详细信息,请参阅 安装 AIPService PowerShell 模块For more information, see Installing the AIPService PowerShell module.

      使用 "以 管理员身份运行 " 命令启动 Windows PowerShell,并使用 AipService 命令连接到保护服务:Start Windows PowerShell with the Run as administrator command, and connect to the protection service by using the Connect-AipService command:

      Connect-AipService                   //provide Microsoft 365 tenant administrator or Azure RMS global administrator credentials
      
    2. 然后,仅使用以下参数之一运行 AipServiceRoleBasedAdministrator 命令:Then run the Add-AipServiceRoleBasedAdministrator command, using just one of the following parameters:

      Add-AipServiceRoleBasedAdministrator -EmailAddress <email address> -Role "ConnectorAdministrator"
      
      Add-AipServiceRoleBasedAdministrator -ObjectId <object id> -Role "ConnectorAdministrator"
      
      Add-AipServiceRoleBasedAdministrator -SecurityGroupDisplayName <group Name> -Role "ConnectorAdministrator"
      

      例如,键入: AipServiceRoleBasedAdministrator-EmailAddress- melisa@contoso.com Role "ConnectorAdministrator"For example, type: Add-AipServiceRoleBasedAdministrator -EmailAddress melisa@contoso.com -Role "ConnectorAdministrator"

      尽管这些命令会分配连接器管理员角色,但你也可以在此处使用 GlobalAdministrator 角色。Although these commands assign the connector administrator role, you can also use the GlobalAdministrator role here.

在 RMS 连接器安装过程中,将会验证和安装所有必备软件。如果还没有 Internet Information Services (IIS),则会安装该服务。另外还要安装并配置连接器软件。During the RMS connector installation process, all prerequisite software is validated and installed, Internet Information Services (IIS) is installed if not already present, and the connector software is installed and configured. 此外,还会创建以下各项,做好配置 Azure RMS 的准备:In addition, Azure RMS is prepared for configuration by creating the following:

  • 一个空表,用于列出被授权使用连接器与 Azure RMS 通信的服务器。An empty table of servers that are authorized to use the connector to communicate with Azure RMS. 稍后将服务器添加到此表中。Add servers to this table later.

  • 一组连接器安全令牌,授权对 Azure RMS 所进行的操作。A set of security tokens for the connector, which authorize operations with Azure RMS. 可从 Azure RMS 下载这些令牌,并安装在注册表中的本地计算机上。These tokens are downloaded from Azure RMS and installed on the local computer in the registry. 它们通过使用数据保护应用程序编程接口 (DPAPI) 和本地系统帐户凭据得到保护。They are protected by using the data protection application programming interface (DPAPI) and the Local System account credentials.

在向导的最后一页上执行以下操作,然后单击 “完成”On the final page of the wizard, do the following, and then click Finish:

  • 如果这是你安装的第一个连接器,此时请不要选择“启动连接器管理员控制台对服务器授权”****。If this is the first connector that you have installed, do not select Launch connector administrator console to authorize servers at this time. 在安装第二个(或最后一个)RMS 连接器之后,再选择此选项。You will select this option after you have installed your second (or final) RMS connector. 请在至少一台其他计算机上再次运行向导。Instead, run the wizard again on at least one other computer. 必须安装至少两个连接器。You must install a minimum of two connectors.

  • 如果你已安装第二个(或最后一个)连接器,请选择 “启动连接器管理员控制台对服务器授权”If you have installed your second (or final) connector, select Launch connector administrator console to authorize servers.

提示

现在,可以执行一项验证测试,以测试 RMS 连接器的 Web 服务是否可以运行:At this point, there is a verification test that you can perform to test whether the web services for the RMS connector are operational:

  • 从 Web 浏览器连接到 http://<connectoraddress>/_wmcs/certification/servercertification.asmx(请将 <connectoraddress> 替换为安装 RMS 连接器的服务器地址或名称)。From a web browser, connect to http://<connectoraddress>/_wmcs/certification/servercertification.asmx, replacing <connectoraddress> with the server address or name that has the RMS connector installed. 如果成功连接,则将显示 ServerCertificationWebService 页。A successful connection displays a ServerCertificationWebService page.

如果需要卸载 RMS 连接器,请再次运行向导并选择卸载选项。If you need to uninstall the RMS connector, run the wizard again and select the uninstall option.

如果在安装过程中遇到任何问题,请查看安装日志: %LocalAppData%\Temp\Microsoft Rights Management connector_ <date and time> 。If you experience any problems during the installation, check the installation log: %LocalAppData%\Temp\Microsoft Rights Management connector_<date and time>.log

例如,安装日志可能类似于 C:\Users\Administrator\AppData\Local\Temp\Microsoft Rights Management connector_20170803110352.logAs an example, your install log might look similar to C:\Users\Administrator\AppData\Local\Temp\Microsoft Rights Management connector_20170803110352.log

授权服务器使用 RMS 连接器Authorizing servers to use the RMS connector

在至少两台计算机上安装 RMS 连接器之后,即可为你希望其使用 RMS 连接器的服务器和服务授权。When you have installed the RMS connector on at least two computers, you are ready to authorize the servers and services that you want to use the RMS connector. 例如运行 Exchange Server 2013 或 SharePoint Server 2013 的服务器。For example, servers running Exchange Server 2013 or SharePoint Server 2013.

若要定义这些服务器,请运行 RMS 连接器管理工具,然后向允许服务器列表添加条目。To define these servers, run the RMS connector administration tool and add entries to the list of allowed servers. 如果你在 Microsoft Rights Management 连接器设置向导结束时选择了“启动连接器管理员控制台对服务器授权”****,则可运行此工具,也可从向导单独运行此工具。You can run this tool when you select Launch connector administration console to authorize servers at the end of the Microsoft Rights Management connector Setup wizard, or you can run it separately from the wizard.

向这些服务器授权时,请注意以下事项:When you authorize these servers, be aware of the following considerations:

  • 添加的服务器会被授予特殊权限。Servers that you add are granted special privileges. 在连接器配置中为 Exchange Server 角色指定的所有帐户在 Azure RMS 中授予超级用户角色,这会给予他们访问此 RMS 租户的所有内容的权限。All accounts that you specify for the Exchange Server role in the connector configuration are granted the super user role in Azure RMS, which gives them access to all content for this RMS tenant. 如有必要,超级用户功能将在此时自动启用。The super user feature is automatically enabled at this point, if necessary. 为了避免权限提升带来的安全风险,请注意仅指定组织的 Exchange 服务器使用的帐户。To avoid the security risk of elevation of privileges, be careful to specify only the accounts that are used by your organization’s Exchange servers. 配置为 SharePoint 服务器的所有服务器或使用 FCI 的文件服务器会被授予常规用户权限。All servers configured as SharePoint servers or file servers that use FCI are granted regular user privileges.

  • 可以通过指定 Active Directory 安全或分发组,或由多台服务器使用的服务帐户,添加多个服务器作为单个条目。You can add multiple servers as a single entry by specifying an Active Directory security or distribution group, or a service account that is used by more than one server. 使用此配置时,服务器组共享相同的 RMS 证书,并且被视为其中任何一个服务器保护的内容的所有者。When you use this configuration, the group of servers shares the same RMS certificates and are all be considered owners for content that any of them have protected. 为了最大程度地减少管理开销,我们建议使用这种单组配置,而不是使用单独服务器的配置,为组织的 Exchange 服务器或 SharePoint 服务器场授权。To minimize administrative overheads, we recommend that you use this configuration of a single group rather than individual servers to authorize your organization’s Exchange servers or a SharePoint server farm.

在“被允许使用连接器的服务器”页上,单击“添加”********。On the Servers allowed to utilize the connector page, click Add.

备注

备注在 Azure RMS 中授权服务器等效于 AD RMS 配置,都可将 NTFS 权限手动应用到服务或服务器计算机帐户的 ServerCertification.asmx 中,并可向用户手动授予到 Exchange 帐户的超级权限。Authorizing servers is the equivalent configuration in Azure RMS to the AD RMS configuration of manually applying NTFS rights to ServerCertification.asmx for the service or server computer accounts, and manually granting user super rights to the Exchange accounts. 此连接器上无需将 NTFS 权限应用到 ServerCertification.asmx。Applying NTFS rights to ServerCertification.asmx is not required on the connector.

将服务器添加到允许服务器列表Add a server to the list of allowed servers

在“允许服务器使用连接器”页上,输入对象的名称,或进行浏览以确定要授权的对象****。On the Allow a server to utilize the connector page, enter the name of the object, or browse to identify the object to authorize.

必须为正确的对象授权,这一点非常重要。It is important that you authorize the correct object. 若要让服务器使用连接器,必须选择运行本地服务(例如 Exchange 或 SharePoint)的帐户来进行授权。For a server to use the connector, the account that runs the on-premises service (for example, Exchange or SharePoint) must be selected for authorization. 例如,如果服务作为配置的服务帐户运行,请将该服务帐户的名称添加到列表。For example, if the service is running as a configured service account, add the name of that service account to the list. 如果服务作为本地系统运行,请添加该计算机对象的名称(例如 SERVERNAME$)。If the service is running as Local System, add the name of the computer object (for example, SERVERNAME$). 最佳做法是创建一个包含这些帐户的组并指定该组,而不是指定单独的服务器名称。As a best practice, create a group that contains these accounts and specify the group instead of individual server names.

有关不同服务器角色的详细信息:More information about the different server roles:

  • 对于运行 Exchange 的服务器:必须指定一个安全组,并可使用 Exchange 自动创建和维护的包含林中所有 Exchange 服务器的默认组(“Exchange 服务器”)。****For servers that run Exchange: You must specify a security group and you can use the default group (Exchange Servers) that Exchange automatically creates and maintains of all Exchange servers in the forest.

  • 对于运行 SharePoint 的服务器:For servers that run SharePoint:

    • 如果 SharePoint 2010 服务器配置为作为本地系统(它不使用服务帐户)运行,请在 Active Directory 域服务中手动创建安全组,并将此配置中的服务器的计算机名称对象添加到此组。If a SharePoint 2010 server is configured to run as Local System (it's not using a service account), manually create a security group in Active Directory Domain Services, and add the computer name object for the server in this configuration to this group.

    • 如果 SharePoint 服务器配置为使用服务帐户(SharePoint 2010 的建议做法,并且是 SharePoint 2016 和 SharePoint 2013 的唯一选项),请执行以下操作:If a SharePoint server is configured to use a service account (the recommended practice for SharePoint 2010 and the only option for SharePoint 2016 and SharePoint 2013), do the following:

      1. 添加运行 SharePoint 管理中心服务的服务帐户,以便从管理员控制台配置 SharePoint。Add the service account that runs the SharePoint Central Administration service to enable SharePoint to be configured from its administrator console.

      2. 添加为 SharePoint 应用池配置的帐户。Add the account that is configured for the SharePoint App Pool.

      提示

      提示如果上述两个帐户是不同的,可考虑创建包含这两个帐户的单个组,以最大程度地降低管理开销。If these two accounts are different, consider creating a single group that contains both accounts to minimize the administrative overheads.

  • 对于使用文件分类基础结构的文件服务器,相关服务作为本地系统帐户运行,因此必须为文件服务器(例如 SERVERNAME$)的计算机帐户或包含这些计算机帐户的组授权。For file servers that use File Classification Infrastructure, the associated services run as the Local System account, so you must authorize the computer account for the file servers (for example, SERVERNAME$) or a group that contains those computer accounts.

在将服务器添加至列表之后,请单击 “关闭”When you have finished adding servers to the list, click Close.

如果尚未配置负载均衡,则现在必须为安装了 RMS 连接器的服务器配置负载均衡,并考虑是否使用 HTTPS 在这些服务器和刚才授权的服务器之间进行连接。If you haven’t already done so, you must now configure load balancing for the servers that have the RMS connector installed, and consider whether to use HTTPS for the connections between these servers and the servers that you have just authorized.

配置负载均衡和高可用性Configuring load balancing and high availability

安装 RMS 连接器的第二个或最后一个实例之后,请定义连接器 URL 服务器名称并配置负载平衡系统。After you have installed the second or final instance of the RMS connector, define a connector URL server name and configure a load-balancing system.

连接器 URL 服务器名称可以是控制的命名空间中的任何名称。The connector URL server name can be any name under a namespace that you control. 例如,你可以在 DNS 系统中为 rmsconnector.contoso.com 创建一个条目,并将此条目配置为使用负载平衡系统中的 IP 地址。For example, you could create an entry in your DNS system for rmsconnector.contoso.com and configure this entry to use an IP address in your load-balancing system. 此名称没有任何特殊要求,也无需在连接器服务器本身上进行配置。There are no special requirements for this name and it doesn’t need to be configured on the connector servers themselves. 除非你的 Exchange 和 SharePoint 服务器要通过 internet 与连接器通信,否则此名称无需在 internet 上解析。Unless your Exchange and SharePoint servers are going to be communicating with the connector over the internet, this name doesn’t have to resolve on the internet.

重要

在将 Exchange 或 SharePoint 服务器配置为使用连接器之后,我们建议不要更改该名称,因为随后必须清除这些服务器的所有 IRM 配置,然后重新进行配置。We recommend that you don’t change this name after you have configured Exchange or SharePoint servers to use the connector, because you have to then clear these servers of all IRM configurations and then reconfigure them.

在 DNS 中创建名称并配置 IP 地址之后,请配置该地址的负载均衡,将流量定向到连接器服务器。After the name is created in DNS and is configured for an IP address, configure load balancing for that address, which directs traffic to the connector servers. 可以使用任何基于 IP 的负载均衡器来达到此目的,该负载均衡器应包括 Windows Server 中的网络负载均衡 (NLB) 功能。You can use any IP-based load balancer for this purpose, which includes the Network Load Balancing (NLB) feature in Windows Server. 有关详细信息,请参阅负载均衡部署指南For more information, see Load Balancing Deployment Guide.

使用以下设置来配置 NLB 群集:Use the following settings to configure the NLB cluster:

  • 端口:80(对于 HTTP)或 443(对于 HTTPS)Ports: 80 (for HTTP) or 443 (for HTTPS)

    有关如何使用 HTTP 或 HTTPS 的详细信息,请参阅下一部分。For more information about whether to use HTTP or HTTPS, see the next section.

  • 关联:无Affinity: None

  • 分发方法:等于Distribution method: Equal

为负载均衡的系统(为运行 RMS 连接器服务的服务器)定义的此名称是稍后将本地服务器配置为使用 Azure RMS 时要使用的组织 RMS 连接器名称。This name that you define for the load-balanced system (for the servers running the RMS connector service) is your organization’s RMS connector name that you use later, when you configure the on-premises servers to use Azure RMS.

将 RMS 连接器配置为使用 HTTPSConfiguring the RMS connector to use HTTPS

备注

此配置步骤是可选的,但我们建议执行此步骤以提高安全性。This configuration step is optional, but recommended for additional security.

虽然使用 TLS 或 SSL 对于 RMS 连接器是可选的,但我们建议将其用于任何基于 HTTP 的安全敏感服务。Although the use of TLS or SSL is optional for the RMS connector, we recommend it for any HTTP-based security-sensitive service. 在此配置中,运行连接器的服务器向使用连接器的 Exchange 和 SharePoint 服务器进行身份验证。This configuration authenticates the servers running the connector to your Exchange and SharePoint servers that use the connector. 此外,从这些服务器向连接器发送的所有数据都进行了加密。In addition, all data that is sent from these servers to the connector is encrypted.

若要让 RMS 连接器能够使用 TLS,请在运行 RMS 连接器的每个服务器上安装服务器身份验证证书,其中包含用于连接器的名称。To enable the RMS connector to use TLS, on each server that runs the RMS connector, install a server authentication certificate that contains the name that you use for the connector. 例如,如果在 DNS 中定义的 RMS 连接器名称为 rmsconnector.contoso.com,请部署一个服务器身份验证证书,其中的证书使用者包含 rmsconnector.contoso.com 作为通用名称。For example, if your RMS connector name that you defined in DNS is rmsconnector.contoso.com, deploy a server authentication certificate that contains rmsconnector.contoso.com in the certificate subject as the common name. 也可在证书备选名称中指定 rmsconnector.contoso.com 作为 DNS 值。Or, specify rmsconnector.contoso.com in the certificate alternative name as the DNS value. 证书不一定必须包括服务器的名称。The certificate does not have to include the name of the server. 然后在 IIS 中,将此证书绑定到默认网站。Then in IIS, bind this certificate to the Default Web Site.

如果使用 HTTPS 选项,请确保运行连接器的所有服务器都具有有效的服务器身份验证证书,该证书链接到 Exchange 和 SharePoint 服务器信任的根 CA。If you use the HTTPS option, ensure that all servers that run the connector have a valid server authentication certificate that chains to a root CA that your Exchange and SharePoint servers trust. 此外,如果为连接器服务器颁发证书的证书颁发机构 (CA) 发布了证书吊销列表 (CRL),则 Exchange 和 SharePoint 服务器必须能够下载此 CRL。In addition, if the certification authority (CA) that issued the certificates for the connector servers publishes a certificate revocation list (CRL), the Exchange and SharePoint servers must be able to download this CRL.

提示

可使用以下信息和资源,帮助请求和安装服务器身份验证证书,并将此证书绑定到 IIS 中的默认网站:You can use the following information and resources to help you request and install a server authentication certificate, and to bind this certificate to the Default Web Site in IIS:

  • 如果使用 Active Directory 证书服务 (AD CS) 和企业证书颁发机构 (CA) 来部署这些服务器身份验证证书,则可以复制和使用 Web 服务器证书模板。If you use Active Directory Certificate Services (AD CS) and an enterprise certification authority (CA) to deploy these server authentication certificates, you can duplicate and then use the Web Server certificate template. 此证书模板使用 “在请求中提供” 作为证书使用者名称,这意味着在你请求证书时,可以提供 RMS 连接器名称的 FQDN 作为证书使用者名称或使用者备选名称。This certificate template uses Supplied in the request for the certificate subject name, which means that you can provide the FQDN of the RMS connector name for the certificate subject name or subject alternative name when you request the certificate.
  • 如果使用独立 CA 或从其他公司购买此证书,请参阅 TechNet 上 Web 服务器 (IIS) 文档库中的配置 Internet 服务器证书 (IIS 7)If you use a stand-alone CA or purchase this certificate from another company, see Configuring Internet Server Certificates (IIS 7) in the Web Server (IIS) documentation library on TechNet.
  • 若要将 IIS 配置为使用证书,请参阅 TechNet 上 Web 服务器 (IIS) 文档库中的添加网站绑定 (IIS 7)To configure IIS to use the certificate, see Add a Binding to a Site (IIS 7) in the Web Server (IIS) documentation library on TechNet.

为 Web 代理服务器配置 RMS 连接器Configuring the RMS connector for a web proxy server

如果你的连接器服务器安装在没有直接 internet 连接的网络中,并且需要手动配置用于出站 internet 访问的 web 代理服务器,则必须在 RMS 连接器的这些服务器上配置注册表。If your connector servers are installed in a network that does not have direct internet connectivity and requires manual configuration of a web proxy server for outbound internet access, you must configure the registry on these servers for the RMS connector.

将 RMS 连接器配置为使用 Web 代理服务器To configure the RMS connector to use a web proxy server

  1. 在运行 RMS 连接器的每台服务器上,打开注册表编辑器,例如 Regedit。On each server running the RMS connector, open a registry editor, such as Regedit.

  2. 导航至 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\ConnectorNavigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector

  3. 添加 ProxyAddress 的字符串值,然后将此值的数据设置为 http://<MyProxyDomainOrIPaddress>:<MyProxyPort>Add the string value of ProxyAddress and then set the Data for this value to be http://<MyProxyDomainOrIPaddress>:<MyProxyPort>

    例如: http://proxyserver.contoso.com:8080For example: http://proxyserver.contoso.com:8080

  4. 关闭注册表编辑器,然后重启服务器,或者执行 IISReset 命令以重启 IIS。Close the registry editor, and then restart the server or perform an IISReset command to restart IIS.

在管理计算机上安装 RMS 连接器管理工具Installing the RMS connector administration tool on administrative computers

可以在未安装 RMS 连接器的计算机上运行 RMS 连接器管理工具,前提是该计算机符合以下要求:You can run the RMS connector administration tool from a computer that does not have the RMS connector installed, if that computer meets the following requirements:

  • 运行 Windows Server 2019、2016、2012或 Windows Server 2012 R2 的物理或虚拟计算机 (所有版本) 、Windows 10、Windows 8.1、Windows 8。A physical or virtual computer running Windows Server 2019, 2016, 2012 or Windows Server 2012 R2 (all editions), Windows 10, Windows 8.1, Windows 8.

  • 至少 1 GB 的 RAM。At least 1 GB of RAM.

  • 至少 64 GB 的磁盘空间。A minimum of 64 GB of disk space.

  • 至少一个网络接口。At least one network interface.

  • 通过防火墙 (或 web 代理) 访问 internet。Access to the internet via a firewall (or web proxy).

若要安装 RMS 连接器管理工具,请运行以下文件:To install the RMS connector administration tool, run the following files:

  • 对于 64 位计算机:运行 RMSConnectorSetup.exeFor a 64-bit computer: RMSConnectorSetup.exe

如果尚未下载这些文件,可从 Microsoft 下载中心下载。If you haven’t already downloaded these files, you can do so from the Microsoft Download Center.

后续步骤Next steps

安装并配置 RMS 连接器后,可将本地服务器配置为使用此连接器。Now that the RMS connector is installed and configured, you are ready to configure your on-premises servers to use it. 参阅为 Azure Rights Management 连接器配置服务器Go to Configuring servers for the Azure Rights Management connector.