將 IRM 設定為使用內部部署 AD RMS 伺服器Configure IRM to use an on-premises AD RMS server

若要搭配內部部署使用,Exchange Online 中的資訊版權管理(IRM)會使用 Active Directory Rights Management Services (AD RMS),這是 Windows Server 2008 和更新版本中的資訊保護技術。For use with on-premises deployments, Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology in Windows Server 2008 and later. 系統會藉由將 AD RMS 權限原則範本套用至電子郵件,將 IRM 保護套用至電子郵件。IRM protection is applied to email by applying an AD RMS rights policy template to an email message. 許可權會附加至郵件本身,使保護在線上及離線,以及組織防火牆內部和外部進行。Rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization's firewall.

本主題示範如何設定 IRM 以使用 AD RMS 伺服器。This topic shows you how to configure IRM to use an AD RMS server. 如需使用 Office 365 郵件加密與 Azure Active Directory 和 Azure Rights Management 的新功能的相關資訊,請參閱Office 365 郵件加密常見問題For information about using the new capabilities for Office 365 Message Encryption with Azure Active Directory and Azure Rights Management, see the Office 365 Message Encryption FAQ.

若要深入了解 Exchange Online 中的 IRM,請參閱 Information Rights Management in Exchange OnlineTo learn more about IRM in Exchange Online, see Information Rights Management in Exchange Online.

開始之前有哪些須知?What do you need to know before you begin?

提示

有問題嗎?Having problems? 在 Exchange 論壇中尋求協助。Ask for help in the Exchange forums. 論壇的網址為:Exchange ServerExchange OnlineExchange Online ProtectionVisit the forums at Exchange Server,Exchange Online, or Exchange Online Protection.

該怎麼做?How do you do this?

步驟 1:使用 AD RMS 主控台從 AD RMS 伺服器匯出信任的發行網域 (TPD)Step 1: Use the AD RMS console to export a trusted publishing domain (TPD) from an AD RMS server

第一個步驟是將信任的發行網域 (TPD) 從內部部署 AD RMS 伺服器匯出至 XML 檔案。TPD 含有以下使用 RMS 功能所需的設定:The first step is to export a trusted publishing domain (TPD) from the on-premises AD RMS server to an XML file. The TPD contains the following settings needed to use RMS features:

  • 用於簽署憑證和授權及予以加密的伺服器授權人憑證The server licensor certificate (SLC) used for signing and encrypting certificates and licenses

  • 用於授權和發行的 URLThe URLs used for licensing and publishing

  • 以 TPD 特定的 SLC 建立的 AD RMS 權限原則範本The AD RMS rights policy templates that were created with the specific SLC for that TPD

當您匯入 TPD 時,它會儲存並保護于 Exchange Online 中。When you import the TPD, it's stored and protected in Exchange Online.

  1. 開啟 Active Directory Rights Management Services 主控台,然後展開 AD RMS 叢集。Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.

  2. 在主控台樹狀目錄中,展開 [信任原則],然後按一下 [信任的發行網域]In the console tree, expand Trust Policies, and then click Trusted Publishing Domains.

  3. 在結果窗格中,選取您想要匯出之網域的憑證。In the results pane, select the certificate for the domain you want to export.

  4. [動作] 窗格中按一下 [匯出信任的發行網域]In the Actions pane, click Export Trusted Publishing Domain.

  5. [發行網域檔案] 方塊中按一下 [另存新檔],將檔案儲存至本機電腦上的特定位置。In the Publishing domain file box, click Save As to save the file to a specific location on the local computer. 輸入檔案名,確定指定.xml副檔名,然後按一下 [儲存]。Type a file name, making sure to specify the .xml file name extension, and then click Save.

  6. [密碼][確認密碼] 方塊中,輸入將用來加密信任發行網域檔案的強式密碼。當您將 TPD 匯入雲端架構電子郵件組織時,就必須指定這個密碼。In the Password and Confirm Password boxes, type a strong password that will be used to encrypt the trusted publishing domain file. You will have to specify this password when you import the TPD to your cloud-based email organization.

步驟2:使用 Exchange 管理命令介面將 TPD 匯入 Exchange OnlineStep 2: Use the Exchange Management Shell to import the TPD to Exchange Online

將 TPD 匯出至 XML 檔案之後,您就必須將它匯入 Exchange Online。After the TPD is exported to an XML file, you have to import it to Exchange Online. 匯入 TPD 時,也會一併匯入組織的 AD RMS 範本。When a TPD is imported, your organization's AD RMS templates are also imported. 匯入第一個 TPD 時,它會成為雲端架構組織的預設 TPD。When the first TPD is imported, it becomes the default TPD for your cloud-based organization. 如果您匯入了其他 TPD,可以使用 Default 參數,讓它成為提供給使用者的預設 TPD。If you import another TPD, you can use the Default switch to make it the default TPD that is available to users.

若要匯入 TPD,請在 Windows PowerShell 中執行下列命令:To import the TPD, run the following command in Windows PowerShell:

Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path <path to exported TPD file> -ReadCount 0)) -Name "<name of TPD>" -ExtranetLicensingUrl <URL> -IntranetLicensingUrl <URL>

您可以在 Active Directory Rights Management Services 主控台中取得_ExtranetLicensingUrl_和_IntranetLicensingUrl_參數的值。You can obtain the values for the ExtranetLicensingUrl and IntranetLicensingUrl parameters in the Active Directory Rights Management Services console. 請在主控台樹狀目錄中選取 AD RMS 叢集。Select the AD RMS cluster in the console tree. 授權 URL 就會顯示在結果窗格中。The licensing URLs are displayed in the results pane. 當內容必須解密以及 Exchange Online 必須判斷要使用的 TPD 時,電子郵件用戶端就會使用這些 URL。These URLs are used by email clients when content has to be decrypted and when Exchange Online needs to determine which TPD to use.

當您執行此命令時,系統會提示您輸入密碼。When you run this command, you'll be prompted for a password. 請輸入您從 AD RMS 伺服器匯出 TPD 時所指定的密碼。Enter the password that you specified when you exported the TPD from your AD RMS server.

例如,下列命令會使用您從 AD RMS 伺服器匯出並儲存至系統管理員帳戶桌面的 XML 檔案來匯入名為 Exported TPD 的 TPD。Name 參數是用來指定 TPD 的名稱。For example, the following command imports the TPD named Exported TPD using the XML file that you exported from your AD RMS server and saved to the desktop of the Administrator account. The Name parameter is used to specify a name to the TPD.

Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path C:\Users\Administrator\Desktop\ExportTPD.xml -ReadCount 0)) -Name "Exported TPD" -ExtranetLicensingUrl https://corp.contoso.com/_wmcs/licensing -IntranetLicensingUrl https://rmsserver/_wmcs/licensing

如需詳細的語法及參數資訊,請參閱 Import-RMSTrustedPublishingDomainFor detailed syntax and parameter information, see Import-RMSTrustedPublishingDomain.

如何才能了解此步驟是否正常運作?How do you know this step worked?

若要確認您是否已成功匯入 TPD,請執行Get-RMSTrustedPublishingDomain Cmdlet,以在您的 Exchange Online 組織中取得 tpd。To verify that you have successfully imported the TPD, run the Get-RMSTrustedPublishingDomain cmdlet to retrieve TPDs in your Exchange Online organization. 如需詳細資料,請參閱 Get-RMSTrustedPublishingDomain 中的範例。For details, see the examples in Get-RMSTrustedPublishingDomain.

步驟3:使用 Exchange 管理命令介面來發佈 AD RMS 許可權原則範本Step 3: Use the Exchange Management Shell to distribute an AD RMS rights policy template

匯入 TPD 之後,您必須確定 AD RMS 權限原則範本已發佈。After you import the TPD, you must make sure an AD RMS rights policy template is distributed. 分散式範本對 Outlook 網頁版(以前稱為 Outlook Web App)使用者可以看見,這樣就能將範本套用至電子郵件。A distributed template is visible to Outlook on the web (formerly known as Outlook Web App) users, who can then apply the templates to an email message.

若要傳回預設 TPD 包含的所有範本清單,請執行下列命令:To return a list of all templates contained in the default TPD, run the following command:

Get-RMSTemplate -Type All | fl

如果_Type_參數的值為Archived,使用者將看不到該範本。If the value of the Type parameter is Archived, the template isn't visible to users. 只有預設 TPD 中的分散式範本可用於網頁上的 Outlook。Only distributed templates in the default TPD are available in Outlook on the web.

若要發佈範本,請執行下列命令:To distribute a template, run the following command:

Set-RMSTemplate -Identity "<name of the template>" -Type Distributed

例如,下列命令會匯入 Company Confidential 範本。For example, the following command imports the Company Confidential template.

Set-RMSTemplate -Identity "Company Confidential" -Type Distributed

如需詳細的語法及參數資訊,請參閱 Get-RMSTemplateSet-RMSTemplateFor detailed syntax and parameter information, see Get-RMSTemplate and Set-RMSTemplate.

不要轉寄範本The Do Not Forward template

當您將預設 TPD 從內部部署組織匯入 Exchange Online 時,會匯入名為 [不要轉寄] 的 AD RMS 權限原則範本。When you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template named Do Not Forward is imported. 根據預設,當您匯入預設 TPD 時,系統會發佈此範本。By default, this template is distributed when you import the default TPD. 但是,您無法使用 Set-RMSTemplate 指令程式來修改 [不要轉寄] 範本。You can't use the Set-RMSTemplate cmdlet to modify the Do Not Forward template.

[不要轉寄] 範本套用至郵件時,只有郵件中所列的收件者才能讀取郵件。此外,收件者無法進行下列作業:When the Do Not Forward template is applied to a message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:

  • 將郵件轉寄給其他人員。Forward the message to another person.

  • 複製郵件的內容。Copy content from the message.

  • 列印郵件。Print the message.

重要

[不要轉寄] 範本無法防止使用者透過協力廠商螢幕擷取程式複製郵件中的資訊,也無法防止使用者手動抄錄資訊。The Do Not Forward template can't prevent information in a message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information

您可以在內部部署組織中的 AD RMS 伺服器上建立其他 AD RMS 權限原則範本,以符合您的 IRM 保護需求。You can create additional AD RMS rights policy templates on the AD RMS server in your on-premises organization to meet your IRM protection requirements. 如果您建立了其他 AD RMS 權限原則範本,就必須再次從內部部署 AD RMS 伺服器匯出 TPD,然後在雲端架構電子郵件組織中重新整理 TPD。If you create additional AD RMS rights policy templates, you have to export the TPD from the on-premises AD RMS server again and refresh the TPD in the cloud-based email organization.

如何才能了解此步驟是否正常運作?How do you know this step worked?

若要確認您是否已成功發佈和 AD RMS 許可權原則範本,請執行Get-RMSTemplate Cmdlet 以檢查範本的屬性。To verify that you have successfully distributed and AD RMS rights policy template, run the Get-RMSTemplate cmdlet to check the template's properties. 如需詳細資料,請參閱 Get-RMSTemplate 中的範例。For details, see the examples in Get-RMSTemplate.

步驟4:使用 Exchange 管理命令介面來啟用 IRMStep 4: Use the Exchange Management Shell to enable IRM

匯入 TPD 並發佈 AD RMS 權限原則範本之後,請執行以下命令以針對雲端架構電子郵件組織啟用 IRM。After you import the TPD and distribute an AD RMS rights policy template, run the following command to enable IRM for your cloud-based email organization.

Set-IRMConfiguration -InternalLicensingEnabled $true

如需詳細的語法及參數資訊,請參閱 Set-IRMConfigurationFor detailed syntax and parameter information, see Set-IRMConfiguration.

如何才能了解此步驟是否正常運作?How do you know this step worked?

若要確認您是否已成功啟用 IRM,請執行Get-IRMConfiguration Cmdlet 以檢查 Exchange Online 組織中的 IRM 設定。To verify that you have successfully enabled IRM, run the Get-IRMConfiguration cmdlet to check IRM configuration in the Exchange Online organization.

如何才能了解此工作是否正常運作?How do you know this task worked?

若要確認您是否已成功匯入 TPD 並啟用 IRM,請執行下列動作:To verify that you have successfully imported the TPD and enabled IRM, do the following:

  • 使用 Test-IRMConfiguration 指令程式來測試 IRM 功能。Use the Test-IRMConfiguration cmdlet to test IRM functionality. 如需詳細資訊,請參閱Test-IRMConfiguration中的「範例1」。For details, see "Example 1" in Test-IRMConfiguration.

  • 從展開功能表( [其他選項] 圖示)中選取 [設定許可權] 選項,以在 web 上的 Outlook 中撰寫新郵件,並以 IRM 保護。Compose a new message in Outlook on the web and IRM-protect it by selecting Set permissions option from the extended menu ( More Options Icon).