設定 Azure Rights Management 連接器的伺服器Configuring servers for the Azure Rights Management connector

*適用于Azure 資訊保護、Windows Server 2016、windows Server 2012 R2、windows server 2012 **Applies to: Azure Information Protection, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012*

*相關AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

使用下列資訊可協助您設定將使用 Azure Rights Management (RMS) 連接器的內部部署伺服器。Use the following information to help you configure your on-premises servers that will use the Azure Rights Management (RMS) connector. 這些程式涵蓋 部署 Azure Rights Management 連接器的步驟5。These procedures cover step 5 from Deploying the Azure Rights Management connector.

必要條件:在開始之前,請確定您有:Prerequisites: Before you begin, make sure that you have: - 已安裝並設定 RMS 連接器Installed and configured the RMS connector - 檢查將使用連接器之伺服器的任何相關 必要條件Checked any prerequisites relevant for the servers that will use the connector.

設定伺服器使用 RMS 連接器Configuring servers to use the RMS connector

安裝並設定 RMS 連接器之後,您就可以設定將連線到 Azure Rights Management 服務的內部部署伺服器,並使用此連接器來使用這項保護技術。After you have installed and configured the RMS connector, you are ready to configure the on-premises servers that will connect to the Azure Rights Management service, and use this protection technology by using the connector.

這表示要設定下列伺服器:This means configuring the following servers:

環境Environment 要設定的伺服器Servers to configure
Exchange 2016 和 Exchange 2013Exchange 2016 and Exchange 2013 用戶端存取伺服器和信箱伺服器Client access servers and mailbox servers
Exchange 2019Exchange 2019 用戶端存取伺服器和集線傳輸伺服器Client access servers and hub transport servers
SharePointSharePoint 前端 SharePoint 網頁伺服器,包括裝載中央管理伺服器者Front-end SharePoint webservers, including those hosting the Central Administration server
檔案分類基礎結構File Classification Infrastructure 已安裝檔案資源管理員的 Windows Server 電腦Windows Server computers that have installed File Resource Manager

此設定需要有下列選項的登錄設定:This configuration requires registry settings, with the following options:

重要

在這兩種情況下,您都必須手動安裝任何必要條件,並設定 Exchange、SharePoint 和檔案分類基礎結構來使用 Rights Management。In both cases, you must manually install any prerequisites and configure Exchange, SharePoint, and File Classification Infrastructure to use Rights Management.

注意

對大多數組織而言,使用 Microsoft RMS 連接器的伺服器設定工具以自動設定是較好的選項,因為相較於手動設定,自動設定提供更好的效率和可靠性。For most organizations, automatic configuration by using the server configuration tool for Microsoft RMS connector will be the better option, because it provides greater efficiency and reliability than manual configuration.

在這些伺服器上進行設定變更後,如果這些伺服器正在執行 Exchange 或 SharePoint,且先前已設定為使用 AD RMS,就必須重新開機這些伺服器。After making the configuration changes on these servers, you must restart them if they are running Exchange or SharePoint, and were previously configured to use AD RMS. 如果您是首次設定這些伺服器使用 Rights Management,則不需要重新啟動這些伺服器。There is no need to restart these servers if you are configuring them for Rights Management for the first time.

但對於使用檔案分類基礎結構的檔案伺服器,則在這些檔案伺服器上進行設定變更後,務必要重新啟動檔案伺服器。You must always restart the file server that is configured to use File Classification Infrastructure after you make these configuration changes.

自動編輯登錄設定-優點和缺點Edit registry settings automatically - advantages and disadvantages

使用 Microsoft RMS 連接器的伺服器設定工具,自動編輯登錄設定。Edit your registry settings automatically, by using the server configuration tool for Microsoft RMS connector.

優點包括Advantages include:

  • 不需要直接編輯登錄。No direct editing of the registry. 系統會使用指令碼自動執行此工作。This is automated for you by using a script.

  • 無需執行 Windows PowerShell 指令程式即可取得您的 Microsoft RMS URL。No need to run a Windows PowerShell cmdlet to obtain your Microsoft RMS URL.

  • 必要條件是如果您在本機上執行,則自動為您檢查 (但不會自動補救)。The prerequisites are automatically checked for you (but not automatically remediated) if you run it locally.

缺點包括:當您執行此工具時,您必須連接到已在執行 RMS 連接器的伺服器。Disadvantages include: When you run the tool, you must make a connection to a server that is already running the RMS connector.

如需詳細資訊,請參閱 如何使用 MICROSOFT RMS 連接器的伺服器設定工具For more information, see How to use the server configuration tool for Microsoft RMS connector.

手動編輯登錄設定-優點和缺點Edit registry settings manually - advantages and disadvantages

優點包括:不需要連線到執行 RMS 連接器的伺服器。Advantages include: No connectivity to a server running the RMS connector is required.

缺點包括Disadvantages include:

  • 更多容易出錯的系統管理負擔。More administrative overheads that are error-prone.

  • 您必須執行 Windows PowerShell 命令來取得您的 Microsoft RMS URL。You must obtain your Microsoft RMS URL, which requires you to run a Windows PowerShell command.

  • 您必須一律自行檢查所有必要條件。You must always make all the prerequisites checks yourself.

如何使用 Microsoft RMS 連接器的伺服器設定工具How to use the server configuration tool for Microsoft RMS connector

  1. 如果您尚未下載適用于 Microsoft RMS 連接器的伺服器設定工具腳本 ( # A0),請從 Microsoft 下載中心下載。If you haven't already downloaded the script for the server configuration tool for Microsoft RMS connector (GenConnectorConfig.ps1), download it from the Microsoft Download Center.

  2. GenConnectorConfig.ps1 檔案儲存在您要執行此工具的電腦上。Save the GenConnectorConfig.ps1 file on the computer where you will run the tool.

    如果您將會在本機執行此工具,此本機必須是您想要設定來與 RMS 連接器通訊的伺服器。If you will run the tool locally, this must be the server that you want to configure to communicate with the RMS connector. 否則,您可以將它儲存在任何電腦上。Otherwise, you can save it on any computer.

  3. 決定如何執行工具:Decide how to run the tool:

    方法Method 描述Description
    本地Locally 從要設定為與 RMS 連接器通訊的伺服器,以互動方式執行此工具。Run the tool interactively, from the server to be configured to communicate with the RMS connector.

    秘訣:這適用于一次性設定,例如測試環境。Tip: This is useful for a one-off configuration, such as a testing environment.
    軟體部署Software deployment 執行工具來產生登錄檔,然後部署到一或多個相關伺服器。Run the tool to produce registry files, which you then deploy to one or more relevant servers.

    使用支援軟體部署的系統管理應用程式(例如 System Center 設定管理員)來部署登錄檔。Deploy the registry files using a systems management application that supports software deployment, such as System Center Configuration Manager.
    群組原則Group policy 執行工具來產生腳本,您可以為系統管理員提供可為要設定的伺服器建立群組原則物件的腳本。Run the tool to produce a script that you give to an administrator who can create Group Policy objects for the servers to be configured.

    此指令碼會為要設定的每種伺服器類型建立一個群組原則物件,系統管理員接著可將其指派給相關伺服器。This script creates one Group Policy object for each server type to be configured, which the administrator can then assign to the relevant servers.

    注意

    此工具會設定本節開頭所列、將會與 RMS 連接器通訊的伺服器。This tool configures the servers that will communicate with the RMS connector and that are listed at the beginning of this section. 請勿在執行 RMS 連接器的伺服器上執行這項工具。Do not run this tool on the servers that run the RMS connector.

  4. 使用 [以 系統管理員身分執行 ] 選項啟動 Windows PowerShell,並使用 get-help 命令來閱讀如何為您所選擇的設定方法使用工具的指示:Start Windows PowerShell with the Run as an administrator option, and use the Get-help command to read instructions how to the use the tool for your chosen configuration method:

    Get-help .\GenConnectorConfig.ps1 -detailed
    

當執行指令碼時,您必須為組織輸入 RMS 連接器的 URL。To run the script, you must enter the URL of the RMS connector for your organization.

輸入通訊協定首碼 (HTTP:// 或 HTTPS://),及您在 DNS 中為連接器的負載平衡位址所定義的連接器名稱。Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector. 例如: https:\//connector.contoso.comFor example, https:\//connector.contoso.com.

工具接著會使用該 URL 來連線執行 RMS 連接器的伺服器,並取得用來建立必要設定的其他參數。The tool then uses that URL to contact the servers running the RMS connector and obtain other parameters that are used to create the required configurations.

重要

當您執行這項工具時,請確定您指定的是貴組織之負載平衡型 RMS 連接器的名稱,而不是執行 RMS 連接器服務之單一伺服器的名稱。When you run this tool, make sure that you specify the name of the load-balanced RMS connector for your organization and not the name of a single server that runs the RMS connector service.

如需每種服務類型的特定資訊,請使用下列各節:Use the following sections for specific information for each service type:

在未設定為使用連接器的不同電腦上安裝用戶端應用程式的時機When to install client applications on separate computers, which are not configured to use the connector

設定這些伺服器來使用連接器後,這些伺服器上本機安裝的用戶端應用程式可能無法使用 RMS。After these servers are configured to use the connector, client applications that are installed locally on these servers might not work with RMS. 發生這種情況時,可能是因為應用程式嘗試使用連接器而非直接使用 RMS,而這是不受支援的作法。When this happens, it is because the applications try to use the connector rather than use RMS directly, which is not supported.

此外,如果 Office 2010 是安裝在 Exchange 伺服器本機,則在設定伺服器使用連接器之後,用戶端應用程式的 IRM 功能可能會在該電腦上運作,但這是不支援的。In addition, if Office 2010 is installed locally on an Exchange server, the client app's IRM features might work from that computer after the server is configured to use the connector, but this is not supported.

在兩種情況下,您必須在未設定使用連接器的不同電腦上安裝用戶端應用程式。In both scenarios, you must install the client applications on separate computers that are not configured to use the connector. 接著它們會正確且直接使用 RMS。They will then correctly use RMS directly.

重要

Office 2010 延伸支援已於 2020 年 10 月 13 日結束。Office 2010 extended support ended on October 13, 2020. 如需詳細資訊,請參閱 AIP 和舊版 Windows 和 Office 版本For more information, see AIP and legacy Windows and Office versions.

設定 Exchange 伺服器使用連接器Configuring an Exchange server to use the connector

下列 Exchange 角色會與 RMS 連接器通訊:The following Exchange roles communicate with the RMS connector:

  • 若為 Exchange 2016 和 Exchange 2013:用戶端存取伺服器和信箱伺服器For Exchange 2016 and Exchange 2013: Client access server and mailbox server

  • 若為 Exchange 2019:用戶端存取伺服器和 hub transport serverFor Exchange 2019: Client access server and hub transport server

若要使用 RMS 連接器,這些執行 Exchange 的伺服器必須執行下列其中一個軟體版本:To use the RMS connector, these servers running Exchange must be running one of the following software versions:

  • Exchange Server 2016Exchange Server 2016

  • Exchange Server 2013 (含 Exchange 2013 累積更新 3)Exchange Server 2013 with Exchange 2013 Cumulative Update 3

  • Exchange Server 2019Exchange Server 2019

在這些伺服器上,您也需要內含支援 RMS 密碼編譯模式 2 的第 1 版 RMS 用戶端 (也稱為 MSDRM)。You will also need on these servers, a version 1 of the RMS client (also known as MSDRM) that includes support for RMS Cryptographic Mode 2. 所有 Windows 作業系統都包含 MSDRM 用戶端,但用戶端的早期版本不支援密碼編譯模式 2。All Windows operating systems include the MSDRM client but early versions of the client did not support Cryptographic Mode 2. 如果您的 Exchange 伺服器至少可以執行 Windows Server 2012,就不需要採取進一步動作,因為與這些作業系統搭載安裝的 RMS 用戶端原生支援密碼編譯模式 2。If your Exchange servers are running at least Windows Server 2012, no further action is required because the RMS client installed with these operating systems natively supports Cryptographic Mode 2.

重要

若未安裝這些版本或 Exchange 及 MSDRM 用戶端的更新版本,您便無法將 Exchange 設為使用連接器。If these versions or later versions of Exchange and the MSDRM client are not installed, you will not be able to configure Exchange to use the connector. 先確定已安裝這些版本再繼續。Check that these versions are installed before you continue.

若要設定 Exchange 伺服器使用連接器To configure Exchange servers to use the connector

  1. 確定 Exchange 伺服器有權使用 RMS 連接器,方法是使用 RMS 連接器系統管理工具和授授權伺服器使用 RMS 連接器一節的資訊。Make sure that the Exchange servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    若要讓 Exchange 使用 RMS 連接器,需要此設定。This configuration is required so that Exchange can use the RMS connector.

  2. 在與 RMS 連接器通訊的 Exchange 伺服器角色上,執行下列其中一項動作:On the Exchange server roles that communicate with the RMS connector, do one of the following:

  3. 使用 Exchange PowerShell Cmdlet Set->get-irmconfiguration來啟用 EXCHANGE 的 IRM 功能。Enable IRM functionality for Exchange by using the Exchange PowerShell cmdlet Set-IRMConfiguration. 請設定 InternalLicensingEnabled $trueClientAccessServerEnabled $trueSet InternalLicensingEnabled $true and ClientAccessServerEnabled $true.

設定 SharePoint 伺服器使用連接器Configuring a SharePoint server to use the connector

前端 SharePoint webservers,包括裝載中央管理伺服器的伺服器,會與 RMS 連接器通訊。Front-end SharePoint webservers, including those hosting the Central Administration server, communicate with the RMS connector.

若要使用 RMS 連接器,這些執行 SharePoint 的伺服器必須執行下列其中一個軟體版本:To use the RMS connector, these servers running SharePoint must be running one of the following software versions:

  • SharePoint Server 2019SharePoint Server 2019

  • SharePoint Server 2016SharePoint Server 2016

  • SharePoint Server 2013SharePoint Server 2013

  • SharePoint Server 2010SharePoint Server 2010

執行 SharePoint 2019、2016或 SharePoint 2013 的伺服器也必須執行支援 RMS 連接器的 MSIPC 用戶端2.1 版本。A server running SharePoint 2019, 2016 or SharePoint 2013 must also be running a version of the MSIPC client 2.1 that is supported with the RMS connector.

若要確定您有支援的版本,請從 Microsoft 下載中心下載最新的用戶端。To make sure that you have a supported version, download the latest client from the Microsoft Download Center.

警告

有多個 MSIPC 2.1 用戶端版本,因此請確定您具有 1.0.2004.0 版本或更新版本。There are multiple versions of the MSIPC 2.1 client, so make sure that you have version 1.0.2004.0 or later.

您可以檢查位於 \Program Files\Active Directory Rights Management Services Client 2.1 中 MSIPC.dll 的版本號碼來確認用戶端版本。You can verify the client version by checking the version number of MSIPC.dll, which is located in \Program Files\Active Directory Rights Management Services Client 2.1. 屬性對話方塊中會顯示 MSIPC 2.1 用戶端的版本號碼。The properties dialog box shows the version number of the MSIPC 2.1 client.

執行 SharePoint 2010 的伺服器必須安裝包含 RMS 密碼編譯模式 2 的 MSDRM 用戶端版本。Servers running SharePoint 2010 must have installed a version of the MSDRM client that includes support for RMS Cryptographic Mode 2. Windows Server 2012 和 Windows Server 2012 R2 原生支援密碼編譯模式 2。Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

若要設定 SharePoint 伺服器使用連接器To configure SharePoint servers to use the connector

  1. 確定 SharePoint 伺服器有權使用 RMS 連接器,方法是使用 RMS 連接器系統管理工具和授授權伺服器使用 RMS 連接器一節的資訊。Make sure that the SharePoint servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    若要讓 SharePoint Server 使用 RMS 連接器,您需要進行這項設定。This configuration is required so that your SharePoint servers can use the RMS connector.

  2. 在與 RMS 連接器通訊的 SharePoint 伺服器上,執行下列其中一項動作:On the SharePoint servers that communicate with the RMS connector, do one of the following:

    • 執行 Microsoft RMS 連接器的伺服器設定工具Run the server configuration tool for Microsoft RMS connector

      如需詳細資訊,請參閱 如何使用 MICROSOFT RMS 連接器的伺服器設定工具For more information, see How to use the server configuration tool for Microsoft RMS connector.

      例如,若要在本機執行工具以設定執行 SharePoint 2019、2016或 SharePoint 2013 的伺服器:For example, to run the tool locally to configure a server running SharePoint 2019, 2016 or SharePoint 2013:

      .\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013
      
    • 如果您使用的是 sharepoint 2019、2016或 sharepoint 2013, 請使用 RMS 連接器登錄設定 中的資訊手動新增登錄設定,以在伺服器上手動新增登錄設定以進行手動編輯登錄。If you are using SharePoint 2019, 2016 or SharePoint 2013, make manual registry edits by using the information in Registry settings for the RMS connector to manually add registry settings on the servers.

  3. 在 SharePoint 中啟用 IRM。Enable IRM in SharePoint. 如需詳細資訊,請參閱 SharePoint 程式庫中的 設定資訊權管理 (SharePoint Server 2010)For more information, see Configure Information Rights Management (SharePoint Server 2010) in the SharePoint library.

    當您遵循這些指示時,您必須設定 SharePoint 使用連接器,方法是指定 [使用此 RMS 伺服器],然後輸入您設定的負載平衡連接器 URL。When you follow these instructions, you must configure SharePoint to use the connector by specifying Use this RMS server, and then enter the load-balancing connector URL that you configured.

    輸入通訊協定首碼 (HTTP:// 或 HTTPS://),及您在 DNS 中為連接器的負載平衡位址所定義的連接器名稱。Enter the protocol prefix (HTTP:// or HTTPS://) and the name of the connector that you defined in DNS for the load balanced address of your connector.

    例如,如果您的連接器名稱是 https:\//connector.contoso.com,則您的設定看起來會像以下圖片:For example, if your connector name is https:\//connector.contoso.com, your configuration will look like the following picture:

    設定 RMS 連接器的 SharePoint Server

    在 SharePoint 伺服器陣列上啟用 IRM 後,您可對每個程式庫,使用 [程式庫設定] 頁面的 [資訊版權管理] 選項在個別程式庫上啟用 IRM。After IRM is enabled on a SharePoint farm, you can enable IRM on individual libraries by using the Information Rights Management option on the Library Settings page for each of the libraries.

設定檔案分類基礎結構的檔案伺服器以使用連接器Configuring a file server for File Classification Infrastructure to use the connector

若要使用 RMS 連接器和檔案分類基礎結構來保護 Office 文件,檔案伺服器必須正在執行下列其中一種作業系統:To use the RMS connector and File Classification Infrastructure to protect Office documents, the file server must be running one of the following operating systems:

  • Windows Server 2016Windows Server 2016

  • Windows Server 2012 R2Windows Server 2012 R2

  • Windows Server 2012Windows Server 2012

若要設定檔案伺服器使用連接器To configure file servers to use the connector

  1. 確定檔案伺服器有權使用 RMS 連接器,方法是使用 RMS 連接器系統管理工具和授授權伺服器使用 RMS 連接器一節的資訊。Make sure that the file servers are authorized to use the RMS connector, by using the RMS connector administration tool and the information from the Authorizing servers to use the RMS connector section.

    若要讓檔案伺服器使用 RMS 連接器,您需要進行這項設定。This configuration is required so that your file servers can use the RMS connector.

  2. 在設定來使用檔案分類基礎結構、且會與 RMS 連接器通訊的檔案伺服器上,執行下列其中一項動作:On the file servers configured for File Classification Infrastructure and that will communicate with the RMS connector, do one of the following:

  3. 建立分類規則和檔案管理工作來對文件加上 RMS 加密保護,然後指定 RMS 範本來自動套用 RMS 原則。Create classification rules and file management tasks to protect documents with RMS Encryption, and then specify an RMS template to automatically apply RMS policies.

    如需詳細資訊,請參閱 Windows Server 文件庫的 檔案伺服器資源管理員概觀For more information, see File Server Resource Manager Overview in the Windows Server documentation library.

後續步驟Next steps

您已安裝和設定 RMS 連接器,並設定伺服器使用該連接器,現在 IT 系統管理員與使用者可以使用 Azure Rights Management 服務來保護及取用電子郵件訊息與文件。Now that the RMS connector is installed and configured, and your servers are configured to use it, IT administrators and users can protect and consume email messages and documents by using the Azure Rights Management service.

為了方便使用者使用,請部署 Azure 資訊保護用戶端,該用戶端會安裝 Office 附加元件,並將新的滑鼠右鍵選項加入至 [檔案總管]。To make this easy for users, deploy the Azure Information Protection client, which installs an add-on for Office and adds new right-click options to File Explorer.

如需詳細資訊,請參閱 Azure 資訊保護用戶端系統管理員指南For more information, see the Azure Information Protection client administrator guide.

請注意,如果您設定要和 Exchange 傳輸規則或 Windows Server FCI 搭配使用的部門範本,領域設定必須包含應用程式相容性選項,才會選取 [當應用程式不支援使用者識別時,向所有使用者顯示這個範本] 核取方塊。Note that if you configure departmental templates that you want to use with Exchange transport rules or Windows Server FCI, the scope configuration must include the application compatibility option such that the Show this template to all users when the applications do not support user identity check box is selected.

在將 Azure Rights Management 轉出給使用者和系統管理員之前,您可以使用 Azure 資訊保護部署藍圖,以檢查是否還需要執行其他設定步驟。You can use the Azure Information Protection deployment roadmap to check whether there are other configuration steps that you might want to do before you roll out Azure Rights Management to users and administrators.

若要監視 RMS 連接器,請參閱 Monitor the Azure Rights Management connector (監視 Azure Rights Management 連接器)。To monitor the RMS connector, see Monitor the Azure Rights Management connector.