安裝及設定 Azure Rights Management 連接器Installing and configuring the Azure Rights Management connector

*適用于Azure 資訊保護、Windows Server 2019、2016、2012 R2 和 Windows Server 2012 **Applies to: Azure Information Protection, Windows Server 2019, 2016, 2012 R2, and Windows Server 2012*

*適用于AIP 統一標籤用戶端和傳統用戶端**Relevant for: AIP unified labeling client and classic client*

使用下列資訊,可協助您安裝及設定 Azure Rights Management (RMS) 連接器。Use the following information to help you install and configure the Azure Rights Management (RMS) connector. 這些程序涵蓋了部署 Azure Rights Management 連接器的步驟 1 到 4。These procedures cover steps 1 though 4 from Deploying the Azure Rights Management connector.

開始之前,請確定您已檢閱和確認此部署的必要條件Before you begin, make sure that you have reviewed and checked the prerequisites for this deployment.

請確定您知道連接器的正確 Azure 主權 cloud 實例,才能完成安裝和設定:Make sure you are aware of the correct Azure sovereign cloud instance for your connector to be able to complete setup and configuration:

  • AzureCloud: Azure 的商業供應專案AzureCloud: Commercial offering of Azure
  • AzureChinaCloud:由世紀經營的 AzureAzureChinaCloud: Azure Operated by 21Vianet
  • AzureUSGovernment: Azure Government (GCC High/DoD) AzureUSGovernment: Azure Government (GCC High/DoD)
  • AzureUSGovernment2: Azure Government 2AzureUSGovernment2: Azure Government 2
  • AzureUSGovernment3: Azure Government 3AzureUSGovernment3: Azure Government 3

安裝 RMS 連接器Installing the RMS connector

  1. 找出電腦 (最少兩個) 來執行 RMS 連接器。Identify the computers (minimum of two) to run the RMS connector. 這些電腦必須符合必要條件中所列的最小規格。These computers must meet the minimum specification listed in the prerequisites.

    注意

    安裝單一 RMS 連接器 (由多部伺服器組成,) 每個租使用者 (Microsoft 365 租使用者或 Azure AD 租使用者) 的高可用性。Install a single RMS connector (consisting of multiple servers for high availability) per tenant (Microsoft 365 tenant or Azure AD tenant). 不同於 Active Directory RMS,您無須在每個樹系中安裝 RMS 連接器。Unlike Active Directory RMS, you do not have to install an RMS connector in each forest.

  2. Microsoft 下載中心下載 RMS 連接器的來源檔案。Download the source files for the RMS connector from the Microsoft Download Center.

    若要安裝 RMS 連接器,請下載 RMSConnectorSetup.exe。To install the RMS connector, download RMSConnectorSetup.exe.

    此外:In addition:

    • 如果您想要對 RMS 連接器使用伺服器設定工具,以在您的內部部署伺服器上自動設定登錄設定,也請下載 GenConnectorConfig.ps1。If you want to use the server configuration tool for the RMS connector, to automate the configuration of registry settings on your on-premises servers, also download GenConnectorConfig.ps1.
  3. 在您要安裝 RMS 連接器的電腦上,使用系統管理員許可權來執行 RMSConnectorSetup.exeOn the computer on which you want to install the RMS connector, run RMSConnectorSetup.exe with administrator privileges.

  4. 在 Microsoft Rights Management Connector 安裝程式的 [歡迎使用] 頁面上,選取 [在電腦上安裝 Microsoft Rights Management Connector],然後按一下 [下一步]On the Welcome page of Microsoft Rights Management Connector Setup, select Install Microsoft Rights Management connector on the computer, and then click Next.

  5. 閱讀並同意 RMS 連接器授權條款,然後按 [下一步]。Read and agree to the RMS connector license terms, and then click Next.

輸入認證Entering credentials

在您可以設定 RMS 連接器之前,您必須先選取符合您解決方案的雲端環境。Before you can configure the RMS connector, you must first select the Cloud environment that matches your solution.

  • AzureCloud: Azure 的商業供應專案AzureCloud: Commercial offering of Azure
  • AzureChinaCloud:由世紀經營的 AzureAzureChinaCloud: Azure Operated by 21Vianet
  • AzureUSGovernment: Azure Government (GCC High/DoD) AzureUSGovernment: Azure Government (GCC High/DoD)
  • AzureUSGovernment2: Azure Government 2AzureUSGovernment2: Azure Government 2
  • AzureUSGovernment3: Azure Government 3AzureUSGovernment3: Azure Government 3

選取正確的 Azure 環境以驗證新的 AAD RM 連接器

選擇您的雲端環境之後,請輸入您的使用者 名稱密碼After making your Cloud environment selection, enter your Username and password. 請務必輸入具有足夠許可權可設定 RMS 連接器之帳戶的認證。Make sure you enter credentials for an account that has sufficient privileges to configure the RMS connector. 例如,您可以輸入, admin@contoso.com 然後指定此帳戶的密碼。For example, you might type admin@contoso.com and then specify the password for this account.

此外,如果您已實作登入控制項,請確定您指定的帳戶能夠保護內容。In addition, if you have implemented onboarding controls, make sure that the account you specify is able to protect content. 例如,如果您限定只有「IT 部門」群組能夠保護內容,則您在此處指定的帳戶必須是該群組的成員。For example, if you restricted the ability to protect content to the "IT department" group, the account that you specify here must be a member of that group. 如果沒有,您會看到錯誤訊息: 嘗試探索管理服務和組織的位置失敗。請確定已為您的組織啟用 Microsoft Rights Management 服務。If not, you see the error message: The attempt to discover the location of the administration service and organization failed. Make sure Microsoft Rights Management service is enabled for your organization.

您可以使用具有下列其中一個權限的帳戶:You can use an account that has one of the following privileges:

  • 您租使用者的全域管理員:您的 Microsoft 365 租使用者或 Azure AD 租使用者的全域管理員帳戶。Global administrator for your tenant: An account that is a global administrator for your Microsoft 365 tenant or Azure AD tenant.

  • Azure Rights Management 全域管理員:Azure Active Directory 中被指派 Azure RMS 全域管理員角色的帳戶。Azure Rights Management global administrator: An account in Azure Active Directory that has been assigned the Azure RMS global administrator role.

  • Azure Rights Management 連接器管理員:Azure Active Directory 中被授與為組織安裝和管理 RMS 連接器之權限的帳戶。Azure Rights Management connector administrator: An account in Azure Active Directory that has been granted rights to install and administer the RMS connector for your organization.

    注意

    Azure Rights Management 全域管理員角色和 Azure Rights Management 連接器系統管理員角色會使用 AipServiceRoleBasedAdministrator 指令程式指派給帳戶。The Azure Rights Management global administrator role and Azure Rights Management connector administrator role are assigned to accounts by using the Add-AipServiceRoleBasedAdministrator cmdlet.

    若要以最低權限執行 RMS 連接器,請建立此用途的專用帳戶,然後執行下列動作以指派 Azure RMS 連接器管理員角色:To run the RMS connector with least privileges, create a dedicated account for this purpose that you then assign the Azure RMS connector administrator role by doing the following:

    1. 如果您尚未這麼做,請下載並安裝 AIPService PowerShell 模組。If you haven't already done so, download and install the AIPService PowerShell module. 如需詳細資訊,請參閱 安裝 AIPService PowerShell 模組For more information, see Installing the AIPService PowerShell module.

      使用 [以 系統管理員身分執行 ] 命令開始 Windows PowerShell,並使用 AipService 命令連接到保護服務:Start Windows PowerShell with the Run as administrator command, and connect to the protection service by using the Connect-AipService command:

      Connect-AipService                   //provide Microsoft 365 tenant administrator or Azure RMS global administrator credentials
      
    2. 然後,只使用下列其中一個參數來執行 AipServiceRoleBasedAdministrator 命令:Then run the Add-AipServiceRoleBasedAdministrator command, using just one of the following parameters:

      Add-AipServiceRoleBasedAdministrator -EmailAddress <email address> -Role "ConnectorAdministrator"
      
      Add-AipServiceRoleBasedAdministrator -ObjectId <object id> -Role "ConnectorAdministrator"
      
      Add-AipServiceRoleBasedAdministrator -SecurityGroupDisplayName <group Name> -Role "ConnectorAdministrator"
      

      例如,輸入: Add-AipServiceRoleBasedAdministrator-EmailAddress melisa@contoso.com -Role "ConnectorAdministrator"For example, type: Add-AipServiceRoleBasedAdministrator -EmailAddress melisa@contoso.com -Role "ConnectorAdministrator"

      雖然這些命令會指派連接器系統管理員角色,但您也可以在這裡使用 GlobalAdministrator 角色。Although these commands assign the connector administrator role, you can also use the GlobalAdministrator role here.

在 RMS 連接器安裝程序執行期間,會驗證並安裝所有必要軟體、安裝尚不存在的網際網路資訊服務 (IIS),以及安裝並設定連接器軟體。During the RMS connector installation process, all prerequisite software is validated and installed, Internet Information Services (IIS) is installed if not already present, and the connector software is installed and configured. 此外也會建立下列項目,以準備進行 Azure RMS 的設定:In addition, Azure RMS is prepared for configuration by creating the following:

  • 有權使用連接器與 Azure RMS 通訊之伺服器的空白資料表。An empty table of servers that are authorized to use the connector to communicate with Azure RMS. 稍後將伺服器新增至此資料表。Add servers to this table later.

  • 連接器的一組安全性權杖,用來對 Azure RMS 的作業進行授權。A set of security tokens for the connector, which authorize operations with Azure RMS. 這些權杖可從 Azure RMS 下載,並安裝在本機電腦的登錄中。These tokens are downloaded from Azure RMS and installed on the local computer in the registry. 您可以使用資料保護應用程式開發介面 (DPAPI) 和本機系統帳戶認證來保護這些權杖。They are protected by using the data protection application programming interface (DPAPI) and the Local System account credentials.

在精靈的最終頁面上,執行下列工作,然後按一下 [完成]:On the final page of the wizard, do the following, and then click Finish:

  • 如果這是您已安裝的第一個連接器,請勿在此時選取 [啟動連接器系統管理員主控台以授權伺服器]。If this is the first connector that you have installed, do not select Launch connector administrator console to authorize servers at this time. 您將在安裝第二個 (或最後一個) RMS 連接器之後選取此選項。You will select this option after you have installed your second (or final) RMS connector. 此時,您應在至少一部其他的電腦上再次執行精靈。Instead, run the wizard again on at least one other computer. 您至少須安裝兩個連接器。You must install a minimum of two connectors.

  • 如已安裝了第二個 (或最後一個) 連接器,請選取 [啟動連接器系統管理員主控台以授權伺服器]。If you have installed your second (or final) connector, select Launch connector administrator console to authorize servers.

提示

此時,您可以執行一項驗證測試,以測試 RMS 連接器的 Web 服務是否可運作:At this point, there is a verification test that you can perform to test whether the web services for the RMS connector are operational:

  • 從網頁瀏覽器連線至 http://<connectoraddress>/_wmcs/certification/servercertification.asmx (請將 <connectoraddress> 取代為已安裝 RMS 連接器的伺服器位址或名稱)。From a web browser, connect to http://<connectoraddress>/_wmcs/certification/servercertification.asmx, replacing <connectoraddress> with the server address or name that has the RMS connector installed. 成功連接後會顯示 ServerCertificationWebService 頁面。A successful connection displays a ServerCertificationWebService page.

如果您要解除安裝 RMS 連接器,請再次執行精靈,並選取解除安裝選項。If you need to uninstall the RMS connector, run the wizard again and select the uninstall option.

如果您在安裝期間遇到任何問題,請檢查安裝記錄檔: %LocalAppData%\Temp\Microsoft Rights Management connector_ <date and time> .logIf you experience any problems during the installation, check the installation log: %LocalAppData%\Temp\Microsoft Rights Management connector_<date and time>.log

例如,您的安裝記錄檔看起來可能類似 C:\Users\Administrator\AppData\Local\Temp\Microsoft Rights Management connector_20170803110352 .log。As an example, your install log might look similar to C:\Users\Administrator\AppData\Local\Temp\Microsoft Rights Management connector_20170803110352.log

為伺服器授與使用 RMS 連接器的權限Authorizing servers to use the RMS connector

當您已在至少兩部電腦上安裝 RMS 連接器後,您即可授權給要使用 RMS 連接器的伺服器和服務。When you have installed the RMS connector on at least two computers, you are ready to authorize the servers and services that you want to use the RMS connector. 例如,執行 Exchange Server 2013 或 SharePoint Server 2013 的伺服器。For example, servers running Exchange Server 2013 or SharePoint Server 2013.

若要定義這些伺服器,請執行 RMS 連接器系統管理工具,並在允許的伺服器清單中新增項目。To define these servers, run the RMS connector administration tool and add entries to the list of allowed servers. 您可於 Microsoft Rights Management 連接器設定精靈結尾處選取 [啟動連接器系統管理員主控台以授權伺服器] 時執行此工具,或從精靈加以個別執行。You can run this tool when you select Launch connector administration console to authorize servers at the end of the Microsoft Rights Management connector Setup wizard, or you can run it separately from the wizard.

為這些伺服器授權時,請留意下列考量事項:When you authorize these servers, be aware of the following considerations:

  • 您新增的伺服器會被授與特殊權限。Servers that you add are granted special privileges. 您在連接器組態中為 Exchange Server 角色指定的所有帳戶,都會被授與 Azure RMS 中的進階使用者角色,這會使這些帳戶能夠存取此 RMS 租用戶的所有內容。All accounts that you specify for the Exchange Server role in the connector configuration are granted the super user role in Azure RMS, which gives them access to all content for this RMS tenant. 如有必要,系統會在此時自動啟用進階使用者功能。The super user feature is automatically enabled at this point, if necessary. 為了避免權限提高的安全性風險,請謹慎操作,而僅指定由組織的 Exchange 伺服器所使用的帳戶。To avoid the security risk of elevation of privileges, be careful to specify only the accounts that are used by your organization’s Exchange servers. 所有設定為 SharePoint 伺服器或使用 FCI 之檔案伺服器的伺服器,都會被授與一般使用者權限。All servers configured as SharePoint servers or file servers that use FCI are granted regular user privileges.

  • 您可以指定 Active Directory 安全性或通訊群組,或是由多部伺服器使用的服務帳戶,以將多部伺服器新增為單一項目。You can add multiple servers as a single entry by specifying an Active Directory security or distribution group, or a service account that is used by more than one server. 當您使用此組態時,伺服器群組會共用相同的 RMS 憑證,且內容只要受到其中任何伺服器的保護,所有伺服器全都會被視為該內容的擁有者。When you use this configuration, the group of servers shares the same RMS certificates and are all be considered owners for content that any of them have protected. 若要將系統管理負擔降到最低,建議您使用此單一群組組態為組織的 Exchange 伺服器或 SharePoint 伺服器陣列授權,而不要使用個別的伺服器。To minimize administrative overheads, we recommend that you use this configuration of a single group rather than individual servers to authorize your organization’s Exchange servers or a SharePoint server farm.

在 [伺服器允許利用連接器] 頁面上,按一下 [新增]。On the Servers allowed to utilize the connector page, click Add.

注意

在 Azure RMS 中為伺服器授權的這種組態,等同於手動將 NTFS 權限套用至服務或伺服器電腦帳戶的 ServerCertification.asmx,以及手動為 Exchange 帳戶授與進階使用者權限的 AD RMS 組態。Authorizing servers is the equivalent configuration in Azure RMS to the AD RMS configuration of manually applying NTFS rights to ServerCertification.asmx for the service or server computer accounts, and manually granting user super rights to the Exchange accounts. 在連接器上不需要將 NTFS 權限套用至 ServerCertification.asmx。Applying NTFS rights to ServerCertification.asmx is not required on the connector.

將伺服器新增至允許的伺服器清單Add a server to the list of allowed servers

在 [允許伺服器利用連接器] 頁面上,輸入物件名稱,或加以瀏覽以識別要授權的物件。On the Allow a server to utilize the connector page, enter the name of the object, or browse to identify the object to authorize.

請務必為正確的物件授權。It is important that you authorize the correct object. 對於要使用連接器的伺服器,必須選取執行內部部署服務 (例如 Exchange 或 SharePoint) 的帳戶進行授權。For a server to use the connector, the account that runs the on-premises service (for example, Exchange or SharePoint) must be selected for authorization. 例如,如果以已設定的服務帳戶執行服務,請將該服務帳戶的名稱新增至清單。For example, if the service is running as a configured service account, add the name of that service account to the list. 如果以本機系統執行服務,則應新增電腦物件的名稱 (例如 SERVERNAME$)。If the service is running as Local System, add the name of the computer object (for example, SERVERNAME$). 最佳做法是,建立包含這些帳戶的群組,並指定該群組,而非個別的伺服器名稱。As a best practice, create a group that contains these accounts and specify the group instead of individual server names.

不同伺服器角色的詳細資訊:More information about the different server roles:

  • 對於執行 Exchange 的伺服器:您必須指定安全性群組,且您可以使用 Exchange 為樹系中的所有 Exchange 伺服器自動建立及維護的預設群組 (Exchange 伺服器)。For servers that run Exchange: You must specify a security group and you can use the default group (Exchange Servers) that Exchange automatically creates and maintains of all Exchange servers in the forest.

  • 對於執行 SharePoint 的伺服器:For servers that run SharePoint:

    • 如果在 SharePoint 2010 伺服器設定為以本機系統執行 (未使用服務帳戶),請以手動方式在 Active Directory Domain Services 中建立安全性群組,並將此組態中伺服器的電腦名稱物件新增至此群組。If a SharePoint 2010 server is configured to run as Local System (it's not using a service account), manually create a security group in Active Directory Domain Services, and add the computer name object for the server in this configuration to this group.

    • 如果 SharePoint 伺服器設定為 使用服務帳戶 (這是對 SharePoint 2010 的建議做法,並且是 SharePoint 2016 和 SharePoint 2013 的唯一選項),請執行下列作業:If a SharePoint server is configured to use a service account (the recommended practice for SharePoint 2010 and the only option for SharePoint 2016 and SharePoint 2013), do the following:

      1. 新增執行 SharePoint 管理中心服務的服務帳戶,使 SharePoint 能夠經由其管理員主控台進行設定。Add the service account that runs the SharePoint Central Administration service to enable SharePoint to be configured from its administrator console.

      2. 新增為 SharePoint 應用程式集區設定的帳戶。Add the account that is configured for the SharePoint App Pool.

      提示

      如果這兩個帳戶不相同,請考慮建立包含這兩個帳戶的單一群組,將系統管理負擔降至最低。If these two accounts are different, consider creating a single group that contains both accounts to minimize the administrative overheads.

  • 若為使用檔案分類基礎結構的檔案伺服器,相關聯的服務會以本機系統帳戶的形式執行,因此您必須為檔案伺服器授權電腦帳戶 (例如 SERVERNAME $) 或包含這些電腦帳戶的群組。For file servers that use File Classification Infrastructure, the associated services run as the Local System account, so you must authorize the computer account for the file servers (for example, SERVERNAME$) or a group that contains those computer accounts.

將伺服器新增至清單後,按一下 [關閉]。When you have finished adding servers to the list, click Close.

如果您尚未為已安裝 RMS 連接器的伺服器設定負載平衡,您必須於此時設定,並考慮是否要對這些伺服器與您剛才授權的伺服器之間的連線使用 HTTPS。If you haven’t already done so, you must now configure load balancing for the servers that have the RMS connector installed, and consider whether to use HTTPS for the connections between these servers and the servers that you have just authorized.

設定負載平衡和高可用性Configuring load balancing and high availability

安裝 RMS 連接器的第二個或最後一個實例之後,請定義連接器 URL 伺服器名稱,並設定負載平衡系統。After you have installed the second or final instance of the RMS connector, define a connector URL server name and configure a load-balancing system.

連接器 URL 伺服器名稱可以是您所控制之命名空間下的任何名稱。The connector URL server name can be any name under a namespace that you control. 例如,您可以在 DNS 系統中為 rmsconnector.contoso.com 建立專案,並將此專案設定為在負載平衡系統中使用 IP 位址。For example, you could create an entry in your DNS system for rmsconnector.contoso.com and configure this entry to use an IP address in your load-balancing system. 此名稱沒有特殊需求,且不需要設定於連接器伺服器本身。There are no special requirements for this name and it doesn’t need to be configured on the connector servers themselves. 除非您的 Exchange 和 SharePoint 伺服器將透過網際網路與連接器進行通訊,否則不需要在網際網路上解析此名稱。Unless your Exchange and SharePoint servers are going to be communicating with the connector over the internet, this name doesn’t have to resolve on the internet.

重要

我們建議您不要在設定 Exchange 或 SharePoint 伺服器以使用連接器之後變更此名稱,因為您隨後還必須在所有 IRM 組態中清除這些伺服器,然後重新加以設定。We recommend that you don’t change this name after you have configured Exchange or SharePoint servers to use the connector, because you have to then clear these servers of all IRM configurations and then reconfigure them.

在 DNS 中建立名稱,並針對 IP 位址加以設定後,請為該位址設定負載平衡,將流量導向至連接器伺服器。After the name is created in DNS and is configured for an IP address, configure load balancing for that address, which directs traffic to the connector servers. 為此,您可以使用任何 IP 架構負載平衡器,其中包含 Windows Server 中的網路負載平衡 (NLB) 功能。You can use any IP-based load balancer for this purpose, which includes the Network Load Balancing (NLB) feature in Windows Server. 如需詳細資訊,請參閱負載平衡部署指南For more information, see Load Balancing Deployment Guide.

請使用下列設定進行 NLB 叢集的設定:Use the following settings to configure the NLB cluster:

  • : HTTP) 的 80 (,或 HTTPS) 的 443 (Ports: 80 (for HTTP) or 443 (for HTTPS)

    如需關於應使用 HTTP 還是 HTTPS 的詳細資訊,請參閱下一節。For more information about whether to use HTTP or HTTPS, see the next section.

  • 親和性:無Affinity: None

  • 散發方法:等於Distribution method: Equal

您為負載平衡系統 (用於執行 RMS 連接器服務的伺服器) 定義的這個名稱,就是您稍後設定要使用 Azure RMS 的內部部署伺服器時所使用的組織 RMS 連接器名稱。This name that you define for the load-balanced system (for the servers running the RMS connector service) is your organization’s RMS connector name that you use later, when you configure the on-premises servers to use Azure RMS.

將 RMS 連接器設定為使用 HTTPSConfiguring the RMS connector to use HTTPS

注意

此組態步驟是選擇性的,但建議執行以進一步提升安全性。This configuration step is optional, but recommended for additional security.

雖然對 RMS 連接器而言,TLS 或 SSL 是選用的,但建議您對任何 HTTP 架構的安全性敏感服務都應使用。Although the use of TLS or SSL is optional for the RMS connector, we recommend it for any HTTP-based security-sensitive service. 此組態會驗證對您使用連接器的 Exchange 和 SharePoint 伺服器執行連接器的伺服器。This configuration authenticates the servers running the connector to your Exchange and SharePoint servers that use the connector. 此外,從這些伺服器傳送至連接器的所有資料會都加密。In addition, all data that is sent from these servers to the connector is encrypted.

若要讓 RMS 連接器使用 TLS,請在每個執行 RMS 連接器的伺服器上,安裝包含您用於連接器之名稱的伺服器驗證憑證。To enable the RMS connector to use TLS, on each server that runs the RMS connector, install a server authentication certificate that contains the name that you use for the connector. 例如,如果您在 DNS 中定義的 RMS 連接器名稱是 rmsconnector.contoso.com,請部署在憑證主體中包含 rmsconnector.contoso.com 作為一般名稱的伺服器驗證憑證。For example, if your RMS connector name that you defined in DNS is rmsconnector.contoso.com, deploy a server authentication certificate that contains rmsconnector.contoso.com in the certificate subject as the common name. 或者,請在憑證替代名稱中指定 rmsconnector.contoso.com 作為 DNS 值。Or, specify rmsconnector.contoso.com in the certificate alternative name as the DNS value. 憑證不一定要包含伺服器的名稱。The certificate does not have to include the name of the server. 然後,在 IIS 中,將此憑證繫結至預設網站。Then in IIS, bind this certificate to the Default Web Site.

如果您使用 HTTPS 選項,請確定所有執行連接器的伺服器都具有有效的伺服器驗證憑證,且該憑證必須鏈結至您的 Exchange 和 SharePoint 伺服器所信任的根 CA。If you use the HTTPS option, ensure that all servers that run the connector have a valid server authentication certificate that chains to a root CA that your Exchange and SharePoint servers trust. 此外,如果為連接器伺服器核發憑證的憑證授權單位 (CA) 發佈了憑證撤銷清單 (CRL),則 Exchange 和 SharePoint 伺服器必須能夠下載此 CRL。In addition, if the certification authority (CA) that issued the certificates for the connector servers publishes a certificate revocation list (CRL), the Exchange and SharePoint servers must be able to download this CRL.

提示

您可以利用下列資訊和資源來要求和安裝伺服器驗證憑證,並將此憑證繫結至 IIS 中的預設網站:You can use the following information and resources to help you request and install a server authentication certificate, and to bind this certificate to the Default Web Site in IIS:

  • 如果您使用 Active Directory 憑證服務 (AD CS) 和企業憑證授權單位 (CA) 來部署這些伺服器驗證憑證,您可以複製 Web 伺服器憑證範本,然後加以使用。If you use Active Directory Certificate Services (AD CS) and an enterprise certification authority (CA) to deploy these server authentication certificates, you can duplicate and then use the Web Server certificate template. 此憑證範本為憑證主體名稱使用 [在要求中提供],這表示您可在要求憑證時,為憑證主體名稱或主體替代名稱提供 RMS 連接器名稱的 FQDN。This certificate template uses Supplied in the request for the certificate subject name, which means that you can provide the FQDN of the RMS connector name for the certificate subject name or subject alternative name when you request the certificate.
  • 如果您使用獨立 CA,或向其他公司購買此憑證,請至 TechNet 參閱 Web 伺服器 (IIS) 文件庫中的設定網際網路伺服器憑證 (IIS 7)If you use a stand-alone CA or purchase this certificate from another company, see Configuring Internet Server Certificates (IIS 7) in the Web Server (IIS) documentation library on TechNet.
  • 若要設定 IIS 以使用憑證,請至 TechNet 參閱 Web 伺服器 (IIS) 文件庫中的新增對網站 (IIS 7) 的繫結To configure IIS to use the certificate, see Add a Binding to a Site (IIS 7) in the Web Server (IIS) documentation library on TechNet.

為 RMS 連接器進行 Web Proxy 伺服器的設定Configuring the RMS connector for a web proxy server

如果您的連接器伺服器是安裝在沒有直接網際網路連線的網路中,且需要手動設定 web proxy 伺服器以進行輸出網際網路存取,您必須在這些伺服器上設定 RMS 連接器的登錄。If your connector servers are installed in a network that does not have direct internet connectivity and requires manual configuration of a web proxy server for outbound internet access, you must configure the registry on these servers for the RMS connector.

設定 RMS 連接器以使用 Web Proxy 伺服器To configure the RMS connector to use a web proxy server

  1. 在每部執行 RMS 連接器的伺服器上,開啟登錄編輯程式,如 Regedit。On each server running the RMS connector, open a registry editor, such as Regedit.

  2. 導覽至 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\ConnectorNavigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector

  3. 新增 ProxyAddress 的字串值,然後將此值的資料設為 http://<MyProxyDomainOrIPaddress>:<MyProxyPort>Add the string value of ProxyAddress and then set the Data for this value to be http://<MyProxyDomainOrIPaddress>:<MyProxyPort>

    例如: http://proxyserver.contoso.com:8080For example: http://proxyserver.contoso.com:8080

  4. 關閉登錄編輯程式,然後重新啟動伺服器,或執行 IISReset 命令以重新啟動 IIS。Close the registry editor, and then restart the server or perform an IISReset command to restart IIS.

在系統管理電腦上安裝 RMS 連接器系統管理工具Installing the RMS connector administration tool on administrative computers

您可以從未安裝 RMS 連接器的電腦執行 RMS 連接器系統管理工具,只要該電腦符合下列需求即可:You can run the RMS connector administration tool from a computer that does not have the RMS connector installed, if that computer meets the following requirements:

  • 執行 Windows Server 2019、2016、2012或 Windows Server 2012 R2 的實體或虛擬電腦 (所有版本) 、Windows 10、Windows 8.1 Windows 8。A physical or virtual computer running Windows Server 2019, 2016, 2012 or Windows Server 2012 R2 (all editions), Windows 10, Windows 8.1, Windows 8.

  • 至少 1 GB 的 RAM。At least 1 GB of RAM.

  • 至少 64 GB 的磁碟空間。A minimum of 64 GB of disk space.

  • 至少一個網路介面。At least one network interface.

  • 透過防火牆 (或 web proxy) 存取網際網路。Access to the internet via a firewall (or web proxy).

若要安裝 RMS 連接器系統管理工具,請執行下列檔案:To install the RMS connector administration tool, run the following files:

  • 64 位元電腦:RMSConnectorSetup.exeFor a 64-bit computer: RMSConnectorSetup.exe

如果您尚未下載這些檔案,您可以從 Microsoft 下載中心進行下載。If you haven’t already downloaded these files, you can do so from the Microsoft Download Center.

後續步驟Next steps

現在,RMS 連接器已完成安裝並設定,接下來您可以設定內部部署伺服器加以使用。Now that the RMS connector is installed and configured, you are ready to configure your on-premises servers to use it. 請移至為伺服器進行 Azure Rights Management 連接器的設定Go to Configuring servers for the Azure Rights Management connector.