Exchange 混合式部署中的 IRMIRM in Exchange hybrid deployments

摘要:IRM 在 Exchange 混合式環境中如何運作,以及如何設定 IRM 以在 Exchange Online 與您的內部部署 Exchange 伺服器之間運作。Summary: How IRM works in an Exchange hybrid environment, and how to configure IRM to work between Exchange Online and your on-premises Exchange servers.

資訊版權管理 (IRM) 可針對電子郵件訊息和附件提供持續性的線上及離線保護,以協助您防止敏感資訊外洩。您的 Exchange 內部部署組織以及 Office 365 企業版中的 Exchange Online 皆可支援 IRM。不過,這兩種執行方式之間會有一些差異,且您需要先在 Exchange Online 組織內設定 IRM,才能提供給該組織的使用者使用。Information Rights Management (IRM) helps you to protect against leakage of sensitive information by providing persistent online and offline protection of email messages and attachments. Both your Exchange on-premises organization and Exchange Online, in Office 365 for enterprises, support IRM. However, there are differences between the two implementations, and you need to configure IRM in the Exchange Online organization before users in that organization can use it.

IRM 使用 Active Directory Rights Management Services (AD RMS),該服務同時是 Windows Server 2008 和更新版本的元件。AD RMS 可讓使用者建立權限保護的內容 (例如電子郵件訊息和附件),然後控制內容的使用方式以及發佈的對象。使用者可指定決定內容使用方式的範本。例如,使用者可指定電子郵件訊息不能轉寄給其他收件者,或者不能複製郵件中的資訊。IRM uses Active Directory Rights Management Services (AD RMS), which is a component of Windows Server 2008 and later. AD RMS allows users to create rights-protected content, such as email messages and attachments, and then control how that content is used, and to whom it's distributed. Users can specify templates that determine how content can be used. For example, a user may specify that an email message can't be forwarded to other recipients or that information in the message can't be copied.

深入了解 Exchange 2010 中的 IRM:瞭解資訊版權管理Learn more about IRM in Exchange 2010 at: Understanding Information Rights Management.

若要深入了解 Exchange 2013 和 Exchange 2016 中的 IRM,請參閱Information Rights ManagementLearn more about IRM in Exchange 2013 and Exchange 2016 at Information Rights Management.

若要深入了解 AD RMS,請參閱 Active Directory Rights Management Services 概觀Learn more about AD RMS at Active Directory Rights Management Services Overview.

IRM 在 Exchange 內部部署和 Exchange Online 之間的差異Differences between IRM in Exchange On-premises and Exchange Online

內部部署 Exchange 組織中可用的 IRM 功能與 Exchange Online 組織中可用的功能可能不相同。下表提供每個組織中可用的特性與功能摘要。(若要深入了解這些功能,請參閱Understanding Information Rights Management)IRM functionality that's available in your on-premises Exchange organization may be different than the functionality available in your Exchange Online organization. The following table provides a summary of features and functionality available in each organization. (Learn more about these features at: Understanding Information Rights Management)

可用的 IRM 功能Available IRM features

功能Feature 可在 Exchange 2007 和更早版本中使用Available in Exchange 2007 and earlier 可在 Exchange 2010 中使用Available in Exchange 2010 可在 Exchange Online 和 Exchange 2013 以及更新版本中使用Available in Exchange Online and Exchange 2013 and later
Outlook 中的手動郵件保護Manual protection of messages in Outlook
Yes
Yes
Yes
Outlook Web App 中的手動郵件保護Manual protection of messages in Outlook Web App
No
Yes
Yes
在 Outlook 中檢視受 IRM 保護的郵件View IRM-protected messages in Outlook
Yes
Yes
Yes
在 Outlook Web App 中檢視受 IRM 保護的郵件View IRM-protected messages in Outlook Web App
No
Yes
Yes
IRM 預先授權代理程式IRM Pre-licensing agent
Yes
Yes
Yes
RMS 原則範本RMS policy templates
No
Yes
Yes
傳輸解密Transport decryption
No
Yes
Yes
日誌報告解密Journal report decryption
No
Yes
Yes
Exchange 搜尋及探索解密Exchange Search and discovery decryption
No
Yes
Yes
自動 Outlook 保護規則Automatic Outlook protection rules
No
No
Yes
自動傳輸保護規則Automatic transport protection rules
No
Yes
Yes

混合式部署中的 IRMIRM in hybrid deployments

Exchange 會在 Active Directory 樹系中使用 AD RMS 伺服器,該樹系中已安裝 Exchange 伺服器。針對您的內部部署 Exchange 伺服器,則會使用內部部署 AD RMS。針對您的 Exchange Online 組織,則會使用在 Office 365 資料中心所維護的 AD RMS 伺服器。每個 Exchange 組織使用的 AD RMS 組態都是獨立於其他 AD RMS 部署之外。Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange servers, the on-premises AD RMS server is used. For your Exchange Online organization, AD RMS servers that are maintained within the Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.

AD RMS 組態與 IRM 組態不會自動在您的內部部署 Exchange 組織與 Exchange Online 組織之間複寫。您定義的任何 AD RMS 範本都不會自動複製到 Exchange Online 組織中。如果您要讓相同的 AD RMS 範本可在 Exchange Online 組織中使用,您必須手動將範本從內部部署組織匯出,然後將其套用至 Office 365 組織。請參閱本主題稍後的設定混合式部署中的 IRMAD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the Exchange Online organization. Any AD RMS templates that you've defined aren't automatically copied to the Exchange Online organization. If you want the same AD RMS templates to be available in the Exchange Online organization, you must manually export the templates from your on-premises organization and apply them to the Office 365 organization. See Configure IRM in hybrid deployments later in this topic.

使用者經驗User experience

套用至使用者的 IRM 組態會視使用者所使用的用戶端與使用者信箱的位置而定。下表顯示使用者將使用的 AD RMS 伺服器。The IRM configuration that's applied to a user depends on the client the user uses and the location of the user's mailbox. The following table shows the AD RMS server a user will use.

Active AD RMS 伺服器Active AD RMS server

用戶端Client 內部部署信箱On-premises mailbox Exchange Online 信箱Exchange Online mailbox
Outlook 桌面用戶端Outlook desktop clients
內部部署 AD RMSOn-premises AD RMS
內部部署 AD RMSOn-premises AD RMS
網頁型 OutlookOutlook on the web
內部部署 AD RMSOn-premises AD RMS
Exchange Online AD RMSExchange Online AD RMS
ActiveSync 裝置ActiveSync device
內部部署 AD RMSOn-premises AD RMS
Exchange Online AD RMSExchange Online AD RMS

根據您在內部部署和 Exchange Online 組織中設定的 AD RMS 組態,使用 Outlook 2007 和 網頁型 Outlook 的使用者可能會看見不同的 AD RMS 範本。基於此原因,我們強烈建議您在內部部署和 Exchange Online 組織中都套用相同的範本。Depending on the AD RMS configuration you configure in your on-premises and Exchange Online organizations, it's possible that a user who uses Outlook 2007 and Outlook on the web may see different AD RMS templates. For this reason, we strongly recommend that you apply the same templates to both your on-premises and Exchange Online organizations.

無論信箱位於內部署或 Exchange Online 組織中,Outlook 用戶端使用者的 IRM 體驗都不會有所差異。There should be no difference in the IRM experience for Outlook client users, regardless of whether their mailbox is located in the on-premises or Exchange Online organization.

信箱位於 網頁型 Outlook 內部部署伺服器的 Exchange 使用者在安裝 Internet Explorer 的權限管理增益集之後,只能開啟有權限保護的郵件。他們無法回覆或建立新的權限保護郵件。An Outlook on the web user whose mailbox is located on an Exchange on-premises server can only open rights-protected messages after installing the Rights Management for Internet Explorer add-in. They can't reply to or create new rights-protected messages.

信箱位於 Exchange Online 的 網頁型 Outlook 使用者可開啟權限保護郵件而不需要任何其他軟體,並且可以回覆及建立新的權限保護郵件。An Outlook on the web user whose mailbox is located in Exchange Online can open rights-protected messages without any additional software and can reply to, and create, new rights-protected messages.

伺服器功能Server functionality

內部部署 Exchange 伺服器會使用 AD RMS 預先授權代理程式來解密權限保護郵件,因此使用者在開啟這些郵件時不需要提供認證。內部部署 Exchange 伺服器會與內部部署 AD RMS 伺服器聯繫以檢查使用原則和權限,並要求將郵件解密的授權。On-premises Exchange servers use the AD RMS pre-licensing agent to decrypt rights-protected messages so that users don't need to supply credentials when they open those messages. The on-premises Exchange server contacts the on-premises AD RMS server to check usage policies and rights, and to request authorization to decrypt the message.

Exchange Online 組織可提供數種利用 Exchange Online AD RMS 的其他 IRM 相關功能。這些功能 (例如日誌報告解密) 可將權限保護郵件的內容提供給 Exchange 服務以進行其他的處理。例如,已解密的日誌郵件內容可與原始權限保護郵件一併儲存,以利於探索作業的進行。此外,IRM 範本可使用 Outlook 保護規則或傳輸規則自動套用至郵件中,以確保這些郵件能符合與資訊保護有關的組織原則。The Exchange Online organization provides several additional IRM-related features that make use of Exchange Online AD RMS. These features, such as journal report decryption, make the content of right-protected messages available to Exchange services for additional processing. For example, the decrypted contents of a journaled message can be saved, along with the original rights-protected message, to allow for easier discovery. Additionally, IRM templates can automatically be applied to messages using either Outlook protection rules or transport rules to ensure that messages adhere to organization policies regarding information protection.

設定混合式部署中的 IRMConfigure IRM in hybrid deployments

Exchange 中的 IRM 會取決於部署在 Active Directory 樹系的 AD RMS (Exchange 伺服器位於此樹系中)。AD RMS 組態不會自動在內部部署與 Exchange Online 組織之間進行同步處理。您必須從內部部署 AD RMS 伺服器手動匯出稱為受信任發行網域 (TPD) 的 AD RMS 組態,然後將組態匯入 Exchange Online 組織。TPD 包含 AD RMS 組態,其中包括 Exchange Online 組織在使用 IRM 時所需要的範本。IRM in Exchange relies on AD RMS being deployed in the Active Directory forest in which the Exchange server resides. AD RMS configuration isn't automatically synchronized between the on-premises and Exchange Online organizations. You must manually export the AD RMS configuration, known as a trusted publishing domain (TPD), from your on-premises AD RMS server, and import that configuration into the Exchange Online organization. The TPD contains the AD RMS configuration, including templates, which the Exchange Online organization needs to use IRM.

若要深入了解,請參閱 AD RMS 受信任發行網域考量Learn more at AD RMS Trusted Publishing Domain Considerations.

除了將內部部署 AD RMS 組態套用至 Exchange Online 組織,您還必須確認內部部署網路以外的 Outlook 和 ActiveSync 用戶端能夠與您的 AD RMS伺服器聯繫。如果您要讓這些用戶端存取內部部署網路以外的權限保護郵件,就必須執行此作業。In addition to applying your on-premises AD RMS configuration to the Exchange Online organization, you must ensure that your AD RMS servers can be contacted by Outlook and ActiveSync clients outside of your on-premises network. You must do this if you want these clients to access rights-protected messages outside of your on-premises network.

在設定內部部署網路並匯出 TPS 資料之後,您將需要匯入 TPD 資料並啟用 IRM 以設定 Exchange Online 組織。After you've configured your on-premises network and exported the TPD data, you need to configure the Exchange Online organization by importing the TPD data and enabling IRM.

注意

任何時候當您要修改內部部署 AD RMS 組態時,都必須手動將新組態套用至 Exchange Online 組織。若要這樣做,請將 TPD 資料從您的內部部署 AD RMS 伺服器匯出,然後將其匯入 Exchange Online 組織。Any time you modify your on-premises AD RMS configuration, you must manually apply the new configuration in the Exchange Online organization. To do so, export the TPD data from your on-premises AD RMS server and import it into the Exchange Online organization.

如何在 Exchange 混合式部署中設定 IRMHow to configure IRM in Exchange hybrid deployments

如果您在內部部署 Exchange 組織中使用 IRM,並要讓 Exchange Online 使用者也使用 IRM,您必須執行下列動作:If you use IRM in your on-premises Exchange organization and you want your Exchange Online users to also use IRM, you need to do the following:

  1. 設定內部部署 Active Directory Rights Management Services (AD RMS) 伺服器。Configure your on-premises Active Directory Rights Management Services (AD RMS) server.

  2. 在 Exchange Online 組織中啟用 IRM。Enable IRM in your Exchange Online organization.

  3. 將匯入的 AD RMS 範本發佈給 Exchange Online 組織中的使用者。Distribute the imported AD RMS templates to users in the Exchange Online organization.

我如何設定內部部署 AD RMS 伺服器?How do I configure on-premises AD RMS servers?

若要在混合式部署中設定 IRM,您需要使用 Windows PowerShell 來存取您的內部部署 AD RMS 伺服器。若要深入了解,請參閱:使用 Windows PowerShell 管理 AD RMSTo configure IRM in a hybrid deployment, you need to use Windows PowerShell to access your on-premises AD RMS server. Learn more at: Using Windows PowerShell to Administer AD RMS

執行下列動作,從您的內部部署 AD RMS 伺服器匯出信任發行網域 (TPD) 資料,然後為外部用戶端設定 AD RMS 伺服器的存取權。Do the following to export trusted publishing domain (TPD) data from your on-premises AD RMS server and then configure access to the AD RMS server for external clients.

  1. 將 TPD 資料從內部部署組織匯出。若要深入了解,請參閱:匯出信任發行網域Export TPD data from your on-premises organization. Learn more at: Exporting a Trusted Publishing Domain

  2. 設定從外部用戶端對 AD RMS 伺服器的存取。若要深入了解,請參閱:新增外部網路叢集 URLConfigure access to AD RMS servers from external clients. Learn more at: Adding an Extranet Cluster URL

如何在 Exchange Online 組織中啟用 IRM?How do I enable IRM in the Exchange Online organization?

從您的內部部署 AD RMS 伺服器匯出 TPD 資料後,您需要將該資料匯入到 Exchange Online 組織,然後再啟用 IRM。After you export the TPD data from your on-premises AD RMS servers, you need to import that data into the Exchange Online organization and then enable IRM.

  1. 在 Exchange Online 組織中,匯入 TPD 資料。In the Exchange Online organization, import the TPD data.

    Import-RMSTrustedPublishingDomain -FileData $( [Byte[]] (Get-Content -Encoding Byte -Path "<Path to exported TPD file>" -ReadCount 0))
    
  2. 在 Exchange Online 組織中啟用 IRM。Enable IRM in the Exchange Online organization.

    Set-IRMConfiguration -InternalLicensingEnabled $True
    

如何在 Exchange Online 組織中發佈 AD RMS 範本?How do I distribute AD RMS templates in the Exchange Online organization?

在 Exchange Online 組織中啟用 IRM 後,您必須發佈匯入的 AD RMS 範本。下列 Exchange Online 使用者和功能會使用 AD RMS 範本:After you've enabled IRM in the Exchange Online organization, you must distribute the imported AD RMS templates. The following Exchange Online users and features use AD RMS templates:

  • 網頁型 Outlook 使用者Outlook on the web users

  • Exchange ActiveSync 使用者Exchange ActiveSync users

  • 傳輸規則Transport rules

  • 日誌報告解密Journal report decryption

  • Outlook 保護規則Outlook protection rules

  1. 在 Exchange Online 組織中,擷取 AD RMS 範本的清單。In the Exchange Online organization, retrieve a list of AD RMS templates.

    Get-RMSTemplate -Type All
    
  2. 將 AD RMS 範本發佈給 Exchange Online 組織中的使用者和功能。Distribute the AD RMS templates to users and features in the Exchange Online organization.

    Set-RMSTemplate <template name> -Type Distributed
    

    注意

    您無法修改「不要轉寄」AD RMS 範本。You can't modify the "Do Not Forward" AD RMS template.

  3. 為每個您要發佈的 AD RMS 範本重複步驟 2。Repeat step 2 for each AD RMS template you want to distribute.

如何才能了解運作是否正常?How do I know this worked?

網頁型 Outlook 使用者應能將 AD RMS 範本套用到新郵件。網頁型 Outlook 和 Exchange ActiveSync 使用者應能讀取已套用 AD RMS 範本的郵件。此外,當您執行 Get-RMSTemplate 指令程式時,將會列出從您的內部部署組織匯入的所有 AD RMS 範本。Outlook on the web users should be able to apply AD RMS templates to new messages. Outlook on the web and Exchange ActiveSync users should be able to read messages that have AD RMS templates applied to them. In addition, all the AD RMS templates that were imported from your on-premises organization should be listed when you run the Get-RMSTemplate cmdlet.

在 Exchange Online 組織中執行下列命令。Run the following command in the Exchange Online organization.

Get-RMSTemplate 

若要深入了解,請參閱: Understanding Information Rights Management in Outlook Web AppLearn more at: Understanding Information Rights Management in Outlook Web App