Exchange 混合部署中的 IRMIRM in Exchange hybrid deployments

摘要:IRM 在 Exchange 混合环境中的工作方式,以及如何配置 IRM 以在 Exchange Online 和内部部署 Exchange 服务器之间工作。Summary: How IRM works in an Exchange hybrid environment, and how to configure IRM to work between Exchange Online and your on-premises Exchange servers.

信息权限管理 (IRM) 通过对电子邮件和附件提供持久联机和脱机保护来帮助防止敏感信息泄露。内部部署组织中的 Exchange 以及 Office 365 企业版中的 Exchange Online 都支持 IRM。但是,这两种实现之间有一些不同;您必须在 Exchange Online 组织中配置 IRM,然后该组织中的用户才能使用该功能。Information Rights Management (IRM) helps you to protect against leakage of sensitive information by providing persistent online and offline protection of email messages and attachments. Both your Exchange on-premises organization and Exchange Online, in Office 365 for enterprises, support IRM. However, there are differences between the two implementations, and you need to configure IRM in the Exchange Online organization before users in that organization can use it.

IRM 将使用作为 Windows Server 2008 及更高版本的一个组件的 Active Directory Rights Management Services (AD RMS)。AD RMS 允许用户创建受权限保护的内容,如电子邮件和附件,并控制内容的使用方式以及分发对象。用户可以指定模板以确定内容的使用方式。例如,用户可以指定不能将某封电子邮件转发给其他收件人,或不能复制邮件中的信息。IRM uses Active Directory Rights Management Services (AD RMS), which is a component of Windows Server 2008 and later. AD RMS allows users to create rights-protected content, such as email messages and attachments, and then control how that content is used, and to whom it's distributed. Users can specify templates that determine how content can be used. For example, a user may specify that an email message can't be forwarded to other recipients or that information in the message can't be copied.

进一步了解 Exchange 2010 中的 IRM:Understanding Information Rights Management(了解信息权限管理)。Learn more about IRM in Exchange 2010 at: Understanding Information Rights Management.

Information Rights Management进一步了解 Exchange 2013 和 Exchange 2016 中的 IRM。Learn more about IRM in Exchange 2013 and Exchange 2016 at Information Rights Management.

有关 AD RMS 的详细信息,请参阅 Active Directory 权限管理服务Learn more about AD RMS at Active Directory Rights Management Services Overview.

IRM 在 Exchange 内部部署和 Exchange Online 之中的差别Differences between IRM in Exchange On-premises and Exchange Online

内部部署 Exchange 组织中提供的 IRM 功能可能不同于 Exchange Online 组织中提供的功能。下表汇总了在每个组织中可用的功能。(进一步了解这些功能:Understanding Information Rights ManagementIRM functionality that's available in your on-premises Exchange organization may be different than the functionality available in your Exchange Online organization. The following table provides a summary of features and functionality available in each organization. (Learn more about these features at: Understanding Information Rights Management)

可用的 IRM 功能Available IRM features

功能Feature 在 Exchange 2007 及之前版本中可用Available in Exchange 2007 and earlier 在 Exchange 2010 中是否可用Available in Exchange 2010 在 Exchange Online 和 Exchange 2013 及更高版本中可用Available in Exchange Online and Exchange 2013 and later
手动保护 Outlook 中的邮件Manual protection of messages in Outlook
Yes
Yes
Yes
手动保护 Outlook Web App 中的邮件Manual protection of messages in Outlook Web App
No
Yes
Yes
查看 Outlook 中受 IRM 保护的邮件View IRM-protected messages in Outlook
Yes
Yes
Yes
查看 Outlook Web App 中受 IRM 保护的邮件View IRM-protected messages in Outlook Web App
No
Yes
Yes
IRM 预许可代理IRM Pre-licensing agent
Yes
Yes
Yes
RMS 策略模板RMS policy templates
No
Yes
Yes
传输解密Transport decryption
No
Yes
Yes
日记报告解密Journal report decryption
No
Yes
Yes
Exchange 搜索和发现解密Exchange Search and discovery decryption
No
Yes
Yes
自动 Outlook 保护规则Automatic Outlook protection rules
No
No
Yes
自动传输保护规则Automatic transport protection rules
No
Yes
Yes

混合部署中的 IRMIRM in hybrid deployments

Exchange 将使用安装有 Exchange 服务器的 Active Directory 林中的 AD RMS 服务器。对于内部部署 Exchange 服务器,使用内部部署 AD RMS 服务器。对于 Exchange Online 组织,使用在 Office 365 数据中心中维护的 AD RMS 服务器。每个 Exchange 组织使用的 AD RMS 配置独立于任何其他 AD RMS 部署。Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange servers, the on-premises AD RMS server is used. For your Exchange Online organization, AD RMS servers that are maintained within the Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.

AD RMS 配置不会在内部部署 Exchange 组织和 Exchange Online 组织之间自动进行复制,因而 IRM 配置也是如此。所定义的任何 AD RMS 模板不会自动复制到 Exchange Online 组织。如果希望相同的 AD RMS 模板在 Exchange Online 组织中可用,必须手动将模板从内部部署组织中导出,并将其应用于 Office 365 组织。请参阅本主题后面的在混合部署中配置 IRMAD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the Exchange Online organization. Any AD RMS templates that you've defined aren't automatically copied to the Exchange Online organization. If you want the same AD RMS templates to be available in the Exchange Online organization, you must manually export the templates from your on-premises organization and apply them to the Office 365 organization. See Configure IRM in hybrid deployments later in this topic.

用户体验User experience

应用于用户的 IRM 配置取决于用户使用的客户端以及用户邮箱的位置。下表列出了用户可使用的 AD RMS 服务器。The IRM configuration that's applied to a user depends on the client the user uses and the location of the user's mailbox. The following table shows the AD RMS server a user will use.

Active AD RMS 服务器Active AD RMS server

客户端Client 内部部署邮箱On-premises mailbox Exchange Online 邮箱Exchange Online mailbox
Outlook 桌面客户端Outlook desktop clients
内部部署 AD RMSOn-premises AD RMS
内部部署 AD RMSOn-premises AD RMS
Web 上的 OutlookOutlook on the web
内部部署 AD RMSOn-premises AD RMS
Exchange Online AD RMSExchange Online AD RMS
ActiveSync 设备ActiveSync device
内部部署 AD RMSOn-premises AD RMS
Exchange Online AD RMSExchange Online AD RMS

根据在内部部署和基于 Exchange Online 组织中配置的 AD RMS 配置,使用 Outlook 2007 和 Web 上的 Outlook 的用户可能会看到不同的 AD RMS 模板。因此,我们强烈建议您对内部部署和 Exchange Online 组织应用相同的模板。Depending on the AD RMS configuration you configure in your on-premises and Exchange Online organizations, it's possible that a user who uses Outlook 2007 and Outlook on the web may see different AD RMS templates. For this reason, we strongly recommend that you apply the same templates to both your on-premises and Exchange Online organizations.

对于 Outlook 客户端用户,无论其邮箱是在内部部署组织中还是在 Exchange Online 组织中,其 IRM 体验应该没有任何差别。There should be no difference in the IRM experience for Outlook client users, regardless of whether their mailbox is located in the on-premises or Exchange Online organization.

其邮箱位于 Exchange 内部部署服务器上的 Web 上的 Outlook 用户在安装了用于 Internet Explorer 的权限管理外接程序后只能打开受权限保护的邮件,并且不能答复或新建受权限保护的邮件。An Outlook on the web user whose mailbox is located on an Exchange on-premises server can only open rights-protected messages after installing the Rights Management for Internet Explorer add-in. They can't reply to or create new rights-protected messages.

其邮箱位于 Exchange Online 中的 Web 上的 Outlook 用户无需任何附加软件便可打开受权限保护的邮件,并且可以答复和新建受权限保护的邮件。An Outlook on the web user whose mailbox is located in Exchange Online can open rights-protected messages without any additional software and can reply to, and create, new rights-protected messages.

服务器功能Server functionality

内部部署 Exchange 服务器使用 AD RMS 预许可代理来解密受权限保护的邮件,这样用户不必提供凭据便可打开这些邮件。内部部署 Exchange 服务器将联系内部部署 AD RMS 服务器来核查使用策略和权限,并请求授权以解密邮件。On-premises Exchange servers use the AD RMS pre-licensing agent to decrypt rights-protected messages so that users don't need to supply credentials when they open those messages. The on-premises Exchange server contacts the on-premises AD RMS server to check usage policies and rights, and to request authorization to decrypt the message.

Exchange Online 组织还提供了几个与 IRM 相关的功能,这些功能使用了 Exchange Online AD RMS。通过这些功能(如日记报告解密),Exchange 服务可对受权限保护的邮件内容进行额外的处理。例如,可以与原始受权限保护的邮件一起保存已解密的日记邮件内容,以便更有利于发现。此外,使用 Outlook 保护规则或传输规则,IRM 模板可以自动应用于邮件,以确保邮件符合组织在信息保护方面的策略。The Exchange Online organization provides several additional IRM-related features that make use of Exchange Online AD RMS. These features, such as journal report decryption, make the content of right-protected messages available to Exchange services for additional processing. For example, the decrypted contents of a journaled message can be saved, along with the original rights-protected message, to allow for easier discovery. Additionally, IRM templates can automatically be applied to messages using either Outlook protection rules or transport rules to ensure that messages adhere to organization policies regarding information protection.

在混合部署中配置 IRMConfigure IRM in hybrid deployments

Exchange 中的 IRM 依赖于在 Exchange 服务器所在的 Active Directory 林中部署的 AD RMS。AD RMS 配置不会自动在内部部署组织和 Exchange Online 组织之间进行同步。您必须从内部部署 AD RMS 服务器手动导出已知是受信任发布域 (TPD) 的 AD RMS 配置,并将该配置导入到 Exchange Online 组织中。TPD 包含 Exchange Online 组织使用 IRM 时所需要的 AD RMS 配置,包括模板。IRM in Exchange relies on AD RMS being deployed in the Active Directory forest in which the Exchange server resides. AD RMS configuration isn't automatically synchronized between the on-premises and Exchange Online organizations. You must manually export the AD RMS configuration, known as a trusted publishing domain (TPD), from your on-premises AD RMS server, and import that configuration into the Exchange Online organization. The TPD contains the AD RMS configuration, including templates, which the Exchange Online organization needs to use IRM.

有关更多信息,请参阅 AD RMS 受信任发布域的注意事项Learn more at AD RMS Trusted Publishing Domain Considerations.

除了对 Exchange Online 组织应用内部部署 AD RMS 配置外,您还必须确保内部部署网络之外的 Outlook 和 ActiveSync 客户端能够联系到 AD RMS 服务器。如果您希望这些客户端能够访问内部部署网络之外的受权限保护的邮件,就必须做到这一点。In addition to applying your on-premises AD RMS configuration to the Exchange Online organization, you must ensure that your AD RMS servers can be contacted by Outlook and ActiveSync clients outside of your on-premises network. You must do this if you want these clients to access rights-protected messages outside of your on-premises network.

配置了内部部署网络并导出了 TPD 数据后,您需要通过导入 TPD 数据并启用 IRM 来配置 Exchange Online 组织。After you've configured your on-premises network and exported the TPD data, you need to configure the Exchange Online organization by importing the TPD data and enabling IRM.

备注

每当修改内部部署 AD RMS 配置时,都必须手动在 Exchange Online 组织中应用新配置。为此,请从内部部署 AD RMS 服务器导出 TPD 数据,并将其导入到 Exchange Online 组织中。Any time you modify your on-premises AD RMS configuration, you must manually apply the new configuration in the Exchange Online organization. To do so, export the TPD data from your on-premises AD RMS server and import it into the Exchange Online organization.

如何在 Exchange 混合部署中配置 IRMHow to configure IRM in Exchange hybrid deployments

如果在内部部署 Exchange 组织中使用 IRM,并且希望 Exchange Online 用户也使用 IRM,则需要执行以下操作:If you use IRM in your on-premises Exchange organization and you want your Exchange Online users to also use IRM, you need to do the following:

  1. 配置内部部署 Active Directory Rights Management Services (AD RMS) 服务器。Configure your on-premises Active Directory Rights Management Services (AD RMS) server.

  2. 在 Exchange Online 组织中启用 IRM。Enable IRM in your Exchange Online organization.

  3. 将导入的 AD RMS 模板分发给 Exchange Online 组织中的用户。Distribute the imported AD RMS templates to users in the Exchange Online organization.

如何配置内部部署 AD RMS 服务器?How do I configure on-premises AD RMS servers?

若要在混合部署中配置 IRM,需要使用 Windows PowerShell 来访问内部部署 AD RMS 服务器。有关详细信息,请参阅使用 Windows PowerShell 管理 AD RMSTo configure IRM in a hybrid deployment, you need to use Windows PowerShell to access your on-premises AD RMS server. Learn more at: Using Windows PowerShell to Administer AD RMS

执行以下操作,从内部部署 AD RMS 服务器导出受信任的发布域 (TPD) 数据,然后配置外部客户端对 AD RMS 服务器的访问。Do the following to export trusted publishing domain (TPD) data from your on-premises AD RMS server and then configure access to the AD RMS server for external clients.

  1. 从内部部署组织导出 TPD 数据。有关详细信息,请参阅导出受信任的发布域Export TPD data from your on-premises organization. Learn more at: Exporting a Trusted Publishing Domain

  2. 配置外部客户端对 AD RMS 服务器的访问。有关详细信息,请参阅添加 Extranet 群集 URLConfigure access to AD RMS servers from external clients. Learn more at: Adding an Extranet Cluster URL

如何在 Exchange Online 组织中启用 IRM?How do I enable IRM in the Exchange Online organization?

从内部部署 AD RMS 服务器导出 TPD 数据后,需要将这些数据导入到 Exchange Online 组织中,然后启用 IRM。After you export the TPD data from your on-premises AD RMS servers, you need to import that data into the Exchange Online organization and then enable IRM.

  1. 在 Exchange Online 组织中,导入 TPD 数据。In the Exchange Online organization, import the TPD data.

    Import-RMSTrustedPublishingDomain -FileData $( [Byte[]] (Get-Content -Encoding Byte -Path "<Path to exported TPD file>" -ReadCount 0))
    
  2. 在 Exchange Online 组织中启用 IRM。Enable IRM in the Exchange Online organization.

    Set-IRMConfiguration -InternalLicensingEnabled $True
    

如何在 Exchange Online 组织中分发 AD RMS 模板?How do I distribute AD RMS templates in the Exchange Online organization?

在 Exchange Online 组织中启用了 IRM 之后,必须分发导入的 AD RMS 模板。以下 Exchange Online 用户和功能使用 AD RMS 模板:After you've enabled IRM in the Exchange Online organization, you must distribute the imported AD RMS templates. The following Exchange Online users and features use AD RMS templates:

  • Web 上的 Outlook 用户Outlook on the web users

  • Exchange ActiveSync 用户Exchange ActiveSync users

  • 传输规则Transport rules

  • 日记报告解密Journal report decryption

  • Outlook 保护规则Outlook protection rules

  1. 在 Exchange Online 组织中,检索 AD RMS 模板的列表。In the Exchange Online organization, retrieve a list of AD RMS templates.

    Get-RMSTemplate -Type All
    
  2. 将 AD RMS 模板分发给 Exchange Online 组织中的用户和功能。Distribute the AD RMS templates to users and features in the Exchange Online organization.

    Set-RMSTemplate <template name> -Type Distributed
    

    备注

    无法修改"不要转发"AD RMS 模板。You can't modify the "Do Not Forward" AD RMS template.

  3. 对要分发的每个 AD RMS 模板重复步骤 2。Repeat step 2 for each AD RMS template you want to distribute.

我如何知道这有效?How do I know this worked?

Web 上的 Outlook 用户应能够将 AD RMS 模板应用于新邮件。Web 上的 Outlook 和 Exchange ActiveSync 用户应能够阅读应用了 AD RMS 模板的邮件。此外,运行 Get-RMSTemplate cmdlet 时,应列出从内部部署组织导入的所有 AD RMS 模板。Outlook on the web users should be able to apply AD RMS templates to new messages. Outlook on the web and Exchange ActiveSync users should be able to read messages that have AD RMS templates applied to them. In addition, all the AD RMS templates that were imported from your on-premises organization should be listed when you run the Get-RMSTemplate cmdlet.

在 Exchange Online 组织中运行以下命令。Run the following command in the Exchange Online organization.

Get-RMSTemplate 

可在以下位置了解详细信息:Understanding Information Rights Management in Outlook Web AppLearn more at: Understanding Information Rights Management in Outlook Web App