o365 workbook-2014
TRANSCRIPT
Cluster AGS
Agencies:DCS
GOER / DCB
OGS
DVA
Cluster BHC
New ID is DA
Agencies:OFA
OPWDD
DDPC
JUSTICE
Cluster EEC
Agencies:AGM
DEC/APA
OPR
DPS
Cluster FRG
Agencies:DOB
DFS
GAMING
DTF
Cluster GGC
Agencies:BOE
OIG
JCOPE
SLA
DOS/ABO
DMV
WCB
Cluster HLT
Agencies:DOH
OMIG
OMH
OASAS
Cluster HSC
Agencies:OCFS/CCF
DHR
DOL
OTDA
COUTIES & VA
HESC
Cluster PSC
Agencies:DOCCS
SCOC
DCJS/BESO
OPVD
DHSES
IOLA
ILS
SCJC
DSP/NYSP
DMNA
OVS
Cluster TED
Agencies:ESD
DHCR
DOT
Clusters to Agencies
Zscaler
(proxy)0365 Cloud
NYSE-MAIL
O365
ITS Data Center
Secure VPN (IPSEC)
2 Way AD Trust
FIM Service
DC
Agency Data
Center
ADFS
(responsible for single user login)
I-Ports
New Data Center
CNSE
Svc.ny.gov
ADFS 3.0
(responsible for single user login)
3rd
party information
security cloud based
company
Services:Web filtering
AV
spyware
From Agency
If UsedDisable SSL
inspections
ADFS 3.0
ADFS 2.0
To be Retired
AD work Quick View
Extend scheme for source anchor
Create & lockdown service account _fimagent
Add SMTP domains to forest
Populate UPN field
Make firewall changes / test and verify
Validate trust
Initial FIM sync
Configure co-location dc’s
Create IPSEC policy
2 Way AD Trust
Secure VPN (IPSEC)
Non-Sync Folder
Initial Sync location
Sync Folder
Pre cloud location
ADFS 3.0
Agency’s Co-Located DC
Agency will perform an
initial sync to the
NYSemail Non-Sync
folder
The accounts will be
moved to a sync folder
in preparation to syncing
to the cloud
Connectivity Overview of
Agency to Data Centers
BES
Blackberry
BES communicates to
the agency’s DC. Needs
to have IP addresses of
those DC’s
DC’s communicates to the
data center’s BES for
Blackberry service
FIM Sync
DIRSYNC
During the Dir-Sync the
source anchor gets written
back to the customers AD
afterwards mail gets written
back to customer
Physical Fiber Network
NYENET
0365 Cloud
DOMAIN
SVC.NY.GOV
Enterprise Services
ADFS 3.0
DOMAIN
NYSEMAIL.NYENET
Legacy
ADFS 2.0 / FIM
DOMAIN
AGENCY.NY.GOV
DOMAIN
AGENCY.NY.GOV
DOMAIN
AGENCY.NY.GOV
DOMAIN
AGENCY.NY.GOV
2 Way Trust
2 Way Trust
DOMAIN
FS.SVC.NY.GOV
10.108.16.25
10.64.27.149
Review
Prerequisites
Check List
Read Play Book
Assign Tasks
Review and Fill
out Checklist
Review AD
Checklist
Document
Needed
Changes
Document
Needed
Changes
Document
Work to be
performed
Perform Needed
Changes
Schedule Dates
Assign tasks
Create test mail
boxes in cloud
Migrate user
contact Setup test users
Change MX
records
premigration
Migrate user
calendar
Migrate user
mail / delta
Migrate user mail
precut over
Initial process flow / Agency
Mail process flow / ITS
Monitor users for
issues
Resolve any
issuesTest
functionality
AD work Quick ViewExtend scheme for source anchor
Create & lockdown service account _fimagent
Add SMTP domains to forest
Populate UPN field
Make firewall changes / test and verify
Build 2 trust / CNSE & NYSe
Validate trust
Initial FIM sync to NYSe
Configure co-location dc’s / CNSE
Create IPSEC policy
Resolve any issues
Create Live mail
boxes in cloud
INTERNET
O365
Zscaler
Web Proxy
Information security
cloud based company
Agency
Server Server Server
Basic Design of Zscaler
Web Filtering
Antivirus
Spyware
UserUserUser
Browser is NOT set to use specific port
Transparent Proxy
Stores copy of content on proxy
Browser is set to use specific port ex:3128
Normal Proxy
Stores copy of content on proxy
Sits on port 80, 443
Only difference is that NO browser configuration is needed
Listens on specific port
Web Server
User
Static cacheable content stored on proxy
Dynamic NON- cacheable content
Reverse Proxy
Reverse Proxy
Transparent Proxy
Normal Proxy
Used on web server side to accelarate
Proxy Server Decsriptions
O365 Cloud Services
Migration Server
Quest Tool
Migration Server
Quest Tool
Migration Server
Quest Tool GroupWise
Mail Server
GroupWise Migration Work
Flow using Migration Servers
Can have as many migration
servers as you want
In VM create and configure your
first machine and then clone it
Open ports and add IP’s in firewall
allowing O365 cloud connectivity
Open ports for the migration servers
Ports: 443, 5985 and 5986
Migration servers must have an Outlook
client and Domain Admin Account
Configure migration software (Quest
Tool) as per the technical instructions
Shared mail boxes come over as user
mail box Must be converted
CVS files are created and manipulated
before cloud placement
It is very important that you Follow the
supplied instructions for both the firewall
configuration and the migration server
setup for this process to work properly
O365 Cloud Services
Migration Server
Quest Tool
Migration Server
Quest Tool
Migration Server
Quest Tool
Lotus Notes
Mail Server
Lotus Notes Migration Work
Flow using Migration Servers
Can have as many migration
servers as you want
Quest migration tool uses a
SQL instance, you can either
use an exsisting SQL server or
the cut version supplied with
the Quest tool
In VM create and configure your
first machine and then clone it
Open ports and add IP’s in firewall
allowing O365 cloud connectivity
Open ports for the migration servers
Migration servers must have an Outlook
client and Domain Admin Account
Configure migration software (Quest
Tool) as per the technical instructions
Shared mail boxes come over as user
mail box Must be converted
TSV files are created
Files can be exported altered and then
imported back into SQL
It is very important that you Follow the
supplied instructions for both the firewall
configuration and the migration server
setup for this process to work properlySQL
Database Server
O365 Cloud Services
MRS 1
MRS 2
MRS 3
Exchange Server
Exchange Migration Work Flow
Using Migration Servers (MRS)
Can have as many migration
servers as you want
In VM create and configure your
first machine and then clone it
Open ports and add IP’s in firewall
allowing O365 cloud connectivity
Open ports for the migration servers
Migration servers must have an Outlook
client and Domain Admin Account
Configure migration software (Quest
Tool) as per the technical instructions
Shared mail boxes come over as user
mail box Must be converted
It is very important that you Follow the
supplied instructions for both the firewall
configuration and the migration server
setup for this process to work properly
Office 365
Cloud Services
GW AD
OMH
GroupWise / Notes
IMAP Migration Option
1- Create empty user mail boxes on
the Office 365 cloud
2- User will connect to both the cloud
mail box and the existing GW mail box
through the Outlook client utilizing
IMAP
3- User will migrate their mail over to
the cloud mail box with in a specified
amount time
4- All global contacts and calendars
will be migrated over User User User
User using Outlook client utilizing
the IMAP functionality
Notes
Internet
0365 Cloud
DLP
Lotus Notes
Or
GroupWise
Mail Server
Primary Domain
Example
Agency.ny.gov
Sub Domain
Example:
SUB.Agency.ny.gov Current Mail Flow
MX
Record
Current
MX
Record
Changed
Forwarders are put in place
which will forward mail to the
sub domain all transparent to
the end user
Day of cutover the
forwards are removed
mail then will reside in
the cloud only
Current MX record
points back to primary
domain
Changed MX record points
back to the O365 cloud
What does this accomplish:
1- MX record change done and propagated
2- Easier cut-over
3- Early licensing
4- Mail accounts are prepopulated
Utilization of a Sub Domain in Lotus
Notes or GroupWise
Agency MUST supply us
with the SMTP server IP
and or server Name also an
NYENet routable IP address for
an SMTP server
Internal Information:In cloud create a mail flow connector
Create contact with address
MB forwarded to contact
0365 Cloud
SMTP.NYSEMAIL.NYENET
10.65.32.73 (port 2525)
NYSEmail
Secure VPN (IPSEC)
2 Way AD Trust
ADFS 3.0
(responsible for single user login)
ADFS 3.0
2 Way AD Trust
Secure VPN (IPSEC)
TLS Encryption to
Cloud
SMTP RELAY FROM
AGENCY to CLOUD
Agency
DLP function is executed in the
cloud thru transport rules
DLP requirements are supplied
by the agency
Point your SMTP server to
SMTP.NYSEMAIL.NYENET
10.64.32.73 (port 2525)
TLS sets up a encrypted
connection between our servers
and cloud
Encryption functions are performed in
the cloud when sending (subject line =
encryption:) and is also capable of
decryption
SMTP
Server
6 clustered / redundant SMTP servers
being monitored through the System Center
Operations Manager (SCOM) monitoring
tool
Applications Using SMTP Mailing
Features
By default mail stored in the
cloud is encrypted
By default the cloud try’s
TLS first
By default O365
applies TLS first
TLS can not be guaranteed through an
emails entire path to destination. After our
environment and cloud we have NO way of
knowing if the servers in the remaining path
are using TLS
Opportunistic TLS
By default in & out
Encryption types currently from Microsoft
Office 365
Recipient retrieves
message
Sender types in encrypt:
in the subject line of the
emailEmail goes out with
a SS #
Recipient is prompted to
login to Voltage services
Rule is enforced
Transverses to
Policy Filter
Tenant config data
& key database
Email is deliveredReceived Email sign
in
Message viewing
portal
DLP Rules (EOP)
Encrypt: in subject
(voltage)
May have to create login
if new to service
1
2 3
4
5
6
7
Email is delivered
User sends Email
0365 Cloud
DLP
Check for sensitive data
Transport RulesKey word match
Dictionary match
Regular expression
Specific count
User may get policy tip
Warning
Blocked
OverrideTransport queue deletes
messages after 48 hours by
default
Action rules are quite extensive and
will be created to meet the business
requirements of the agency
Message may get forwarded to
transport queue for further review
Transport
Queue
DLP Data Flow
Transport Rules Components
Conditions
Exceptions
Actions
Enforce
Test with Policy Tips
Test without Policy Tips
Transport Rules Mode
Processing of Rule (by agent)
Rule 1Conditions
En
force
Test w
ith P
olicy
Tip
s
Test w
itho
ut
Po
licy Tip
s
Example:Rule 1 conditions are met
Rule 2Exceptions
En
force
Test w
ith P
olicy
Tip
s
Test w
itho
ut
Po
licy Tip
s
Example:Rule 2 exceptions are met
Rule 3Actions
En
force
Test w
ith P
olicy
Tip
s
Test w
itho
ut
Po
licy Tip
s
Example:Rule 3 actions are met
How rule will be implimented
How rule will be implimented
How rule will be implimented
DLP Transport Rules Process
There are several types of messages that pass through an organization. Based on the message type, a message can be processed slightly different by the Transport rules agent.
Mail Sent
Deliver MailCheck Exception
Meets condition Rule
YESNo
Meets Exception Rule
YES No
Deliver Mail Check Actions Rule
YES
Implement Rule
En
force
Test w
ith P
olicy
Tip
s
Test w
itho
ut P
olicy
Tip
s
How rule will be implimented
DLP Transport Rule
Flow Chart
Deliver Mail
0365 Cloud
MFA
User’s Cell Phone
User’s Password
Biometric Scanner
Multi-Factor Authentication
The following is a list of the basic steps:
Enable MFA for end user(s): first we need to enable MFA for one or more Office 365 users;
Send e-mail to end users to notify them about MFA: next, we send users an e-mail notifying them about MFA;
Have a user sign-in and complete the registration process: once we have enabled the account(s) for MFA, users can sign-in and complete the registration process;
Configure app passwords for non-browser apps: after the registration process has been completed, users can setup application passwords for non-browser apps such as Outlook or Lync. This is required because these apps do not natively support MFA and users will be unable to use them unless an app password is configured
The user can use a cell phone to receive a call back or a text message to verify the authentication in addition to their password , there is also an app for the android OS
OR
AND
0365 Cloud
SMTP.NYSEMAIL.NYENET
(port 2525)
NYSEmail
TLS Encryption to
Cloud
TLS sets up a encrypted
connection between our servers
and cloud
6 clustered / redundant SMTP servers being
monitored through the System Center
Operations Manager (SCOM) monitoring tool
Agency
Point your SMTP server to
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP
Server
Applications Using SMTP Mailing
Features (port 25 or 2525)
Secure VPN (IPSEC)
2 Way AD Trust
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP Relay From Agency to NYSE With
the Use of a Local Agency SMTP Server
SMTP Server Cluster
TLS Encryption from agency to SMTP
cluster if the agency is evoking it. If
not it is still secure due to the fact that
the traffic is going through a secure
VPN tunnel from agency to NYSE
SMTP server sending out only on port
2525 to SMTP.NYSEMAIL.NYENET
TLS can not be guaranteed through an
emails entire path to destination. After our
environment and cloud we have NO way of
knowing if the servers in the remaining path
are using TLS
Opportunistic TLS
By default in & out
By default O365
applies TLS first
0365 Cloud
SMTP.NYSEMAIL.NYENET
(port 2525)
NYSEmail
TLS Encryption to
Cloud
TLS sets up a encrypted
connection between our servers
and cloud
6 clustered / redundant SMTP servers being
monitored through the System Center
Operations Manager (SCOM) monitoring tool
Agency
Application are pointing directly to the SMTP.NYSEMAIL.NYENET (port 2525)
Applications Using SMTP Mailing
Features (port 2525)
Secure VPN (IPSEC)
2 Way AD Trust
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP Relay From Agency to NYSE
SMTP Cluster Without the use of an
SMTP Agency Relay Server
SMTP Server Cluster
By default O365
forces TLS
TLS can not be guaranteed through an
emails entire path to destination. After our
environment and cloud we have NO way of
knowing if the servers in the remaining path
are using TLS
Opportunistic TLS
By default in & out
0365 Cloud
SMTP.NYSEMAIL.NYENET
(port 2525)
NYSEmail
TLS Encryption to
Cloud
6 clustered / redundant SMTP servers being
monitored through the System Center
Operations Manager (SCOM) monitoring tool
Agency
Point your SMTP servers to
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP
Server
Applications Using SMTP Mailing
Features (port 25 or 2525)
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP.NYSEMAIL.NYENET
(port 2525)
SMTP Relay From Agency to NYSE With
the Use of a Local Agency SMTP Server
SMTP Server Cluster
SMTP server sending out only on port
2525 to SMTP.NYSEMAIL.NYENET
TLS can not be guaranteed through an
emails entire path to destination. After our
environment and cloud we have NO way of
knowing if the servers in the remaining path
are using TLS
Opportunistic TLS
By default in & out
DNS Resolver Cache
Q1
A1
Hosts File
DNS ServerDNS Server
DNS Server
DNS ServerQ2
A2
Zones
Q3
A3
DNS Server Cache
A4
Q4
Q5
A5
Client to
ServerDNS Client
(resolver)
DNS Server to
Server (recursion)
Root hints File
Cache.dns
Other DNS Servers
AD work Quick View
Extend scheme for source anchor
Create & lockdown service account _fimagent
Add SMTP domains to forest
Populate UPN field
Make firewall changes / test and verify
Validate trust
Initial FIM sync
Configure co-location dc’s
Create IPSEC policy
Create &
lockdown
service account
Extend Scheme
Active Directory Work
Quick Overview
Add SMTP
domains to
forest
Populate UPN
field
Make firewall
changes
Validate trusts Initial FIM Sync
Create trusts
Work may run in
parallel to AD work
Based on firewall
template
Build co-lo DC’s
AD ObjectsFirst Name.Last Name = UPN = Email Address
Post AD and Trust
Work Process Flow
Create test mail
box in cloud
FIM-Sync to test
OU
Check mail flow
in the cloud
Remove
forwarders
Pre-Migrate data
Migrate delta
Verify Contents
Verify test mail is
routing correctly
Dir-Sync AD
objects to cloud
(pre-licensed)
Add forwarders
to accounts
Change MX
record to point
to cloud O365
License mail
boxes
Move to Dir-Sync
OU
Day of Cut-Over
Client side setup
autodiscovery
Test Outlook
Login & Function
Test OWA
Login & Function
Re-sync hand
held devices
URL
Autodiscover.agency.ny.gov
Resolve issues
Work may run
parallel
Fully test mail
box in cloud
Synchronization TimesFIM = every hourDir = every 1.5 hours AD Objects
First Name.Last Name - UPN - Email AddressDir sync uses first and last name to create email address in the cloud environment
Post AD and Trust
Work Process Flow
Create test mail
box in cloud
FIM-Sync to test
OU
Check mail flow
in the cloud
Pre-Migrate data
Migrate delta
Verify Contents
Verify test mail is
routing correctly
Dir-Sync AD
objects to cloud
(pre-licensed)Add MX record
to point to cloud
O365
License mail
boxes
Move to Dir-Sync
OU
Day of Cut-Over
Client side setup
autodiscovery
Test Outlook
Login & Function
Test OWA
Login & Function
Re-sync hand
held devices
URL
Autodiscover.agency.ny.gov
Resolve issues
Work may run
parallel
Fully test mail
box in cloud
Synchronization TimesFIM = every hourDir = every 1.5 hours AD Objects
First Name.Last Name - UPN - Email AddressDir sync uses first and last name to create email address in the cloud environment
Remove MX for
old Domain
Time Based Hold Policy
In Place Holds
How Long to Hold For
Query Based Hold Policy
Indefinate Hold Policy
What to Hold
In Place Holds vs Litigation Hold
Litigation Holds
litigation hold only allows you to place all items on hold indefinitely, specify the litigation hold duration for a mailbox or until hold is removed
When an item is placed on one or more In-Place Holds and litigation hold at the same time, all items are held indefinitely or until the holds are removed. If you remove litigation hold and the user is still placed on one or more In-Place Holds, items matching the In-Place Hold criteria are held for the period specified in the hold settings
Hold Policies
De
lete
d
Item
s
Deleted Mail Goes to the Deleted Items Folder First
Recoverable Items
Deleting the Deleted Items (soft delete) Places the Items in the Recoverable Folder for 24-36 hours unless it in litigation or in place hold
Sub-Folders and behavior of Recoverable Items
Deletions This subfolder contains all items deleted from the Deleted Items folder. This subfolder is exposed to users Versions If In-Place Hold, litigation hold, or single item recovery is enabled, this subfolder contains the original and modified copies of the deleted items. This folder isn't visible to end users. Purges If either litigation hold or single item recovery is enabled, this subfolder contains all items that are hard deleted. This folder isn't visible to end users.Discovery Holds If In-Place Hold is enabled, this subfolder contains all items that meet the hold query parameters and are hard deleted .Audits If mailbox audit logging is enabled for a mailbox, this subfolder contains the audit log entries. Calendar Logging This subfolder contains calendar changes that occur within a mailbox. This folder isn’t available to users.
Stage 1:Accepting Claims
Stage 2:Authorizing Claims Stage 3:
Issuing Claims
Acceptance Rules
AuthorizationRules
Issurance Rules
Inco
mm
ing
Cla
im
DENY
Ou
tgo
ing
Cla
im
Claims Provider
Relying Party Trust
ADFS Claims Pipeline
Permit
ADFS Agency AD
AuthenticationPlatform
Exchange or Sharepoint
Authentication Logging on With a Web Application
Online (O365)
1
2
34
5Verify Token
Ask to authentic Gets token
Looks at UPN (ADFS)
The users hits the web based app.
The web based app says that you need to authenticate and it returns URL to the Authentication Platform
The Authentication Platform then takes the domain/UPN the users typed in and knows if it a federated domain/UPN, so it returns another URL to the client that points to the ADFS server.
The ADFS server will ask the user to authenticate via Kerberos or NTLM and when the user is authenticated , the ADFS server gives the user an SAML token including the claims: UPN and Source User ID (ImmutableID).
The client embeds this token in the old URL and sends it of to the Authentication Platform
The .Authentication Platform verifies the token and converts it to an Auth token, which contain the UPN and now Unique ID from the Authentication Platform. This Auth. token can now be used for login
So it gets back to the client and then off to the web app.
URL to Platform
Return URL to ADFS
Authentication Steps:
2 Way Trust
= Resource
= User
Organizational Forest Model
= Forest
1 Way Trust
Resource Forest Model
1 Way Trust
= Service Account
Restricted Forest Model
No trust separate forest with no connectivity to any other forest
3 Types of Forest Models
Resources are located in their own forest containing the resource and needed service accounts
First Name Last Name UPNMust Match
Email Address
Equals
The Email address is created during the DIR sync to the cloud from the first name, last and middle initial fields if needed based on the recipient policy
The first and last name must match the UPN entry
Non-Sync OU
Initial Sync location
Dir Sync OU
Pre cloud location
DC
Agency Data
Center FIM SYNC from the agency to NYSEMAIL
Objects are reviewed with agency
Once objects are verified they are moved to DIR Sync OU
DIR Sync to cloud creates cloud accounts and writes back to AD creating the Email address based on the first name, last and middle initial if needed
Agency dictates what OU to sync from and what attributes to sync
Apply recipient policy
License accounts to activate
Middle
Example:[email protected]
Example with middle initial:[email protected]
O365Azure AD
FIM SYNC – DIR SYNC
Example with duplicates:[email protected]@[email protected]
AD Work
Trusts
FIM Sync
Validation
Firewall
Proxy
SMTP
Claims Rules
Encryption
DLP
Litigation Hold
Shared Mail Boxes
DL’s
Naming Convention
Key Topics to Verify for Completion of Mail Migration
Blackberry Devices List Serve
CSV FilesMigration Strategy
Non-Split DNS
Split DNS
Internet
Local DNS
(DNS) NS1.widget.com
Web Server(www.widget.com)
External UserInternal User
Xyz.local – 192.168.0.x
WWW – 65.104.3.x
FTP – 65.104.3.x
WWW – 65.104.3.x
FTP – 65.104.3.x
Split - DNSInternal and
External DNS Zones
External DNS Zones Only
You will add the external zones to your internal DNS server but never add your internal zone to the external DNS server
SharePoint SiteURL:
In-Place Hold
Ediscovery Query In Hold
Export Data to a PST
Ediscovery Center Officers
Discovery List of sources Ediscovery Work Flow
Discovery Management – Scope – Distribution List
AD account used for
loginAdded role
DL used to map email
access
Exchange Email
SharePoint Owner Site (permissions)
Ediscovery Center Manager
Based on Result
Yes / No
Active Directory Active Directory Active Directory
On Premise Active Directory Farm
Active Directory
Active Directory
FIM SyncRuns every hour
Agency AD
Azure Active Directory
AD Sync’s (DIR) to the Azure Active DirectoryRuns every 1.5 hours
Active Directory
Agency Co-Lo AD
Replication
Active Directory Flow
State Police Personnel
State Police Address Book ONLY
ITS Personnel located at State Police
GAL (minus) State Police Address Book
State Police OnlyOR
TAX Personnel
TAX Address Book ONLY
ITS Personnel located at TAX
GAL (minus) SP Address Book
Entire Office 365 Tenant
GAL (minus) State Police
State Police has their own address book without the ability to see the entire GAL
1) ITS personnel stationed at State Police can see Only the GAL minus the SP address book, or2) They can view Only the SP address book
Default GAL Settings (Global)
Address Book ScenariosState Police / Tax and Finance Exceptions
Only visible to state police personnel
Tax has their own address book without the ability to see the entire GAL
ITS personnel stationed at Tax can see Only the GAL minus the SP address book
Division of State Police
Department of Tax and Finance
All Other Agencies
Web Server 1 Web Server 2 Web Server 3 Web Server 4
Router 2
Router 1
Load Balancer 2Standby
Load Balancer 1Active
Carrier Location 2
Carrier Location 1
Primary Path
Secondary Path
Fail Over Path
Fail Over with Load Balancers
VRRP
10.10.65.110.10.65.210.10.65.4 10.10.65.3
10.10.65.5
10.10.65.6
172.166.215.22
Vlan 1 10.10.65.x
Vlan 2 10.10.66.x10.10.66.6
10.10.66.5
10.10.66.4 10.10.66.3
10.10.67.15
10.10.66.210.10.66.1 178.126.245.21
10.10.67.1610.10.67.17
10.10.67.18
Vlan 3 10.10.67.x
192.168.1.2192.168.1.6
192.168.1.5 192.168.1.1
192.168.1.3
192.168.1.4
192.168.1.7
192.168.1.10
192.168.1.9
192.168.1.8
192.168.1.11
192.168.1.12
192.168.10.15 192.168.10.16 192.168.10.17 192.168.10.18
Vlan 4 192.168.1.x
Vlan 5 192.168.10.x
215.215.67.67
218.56.44.200
Router 1
Firewall
Load Balancer 1Active
Carrier Location 1
Web Server 1 Web Server 2 Web Server 3 Web Server 4
172.166.215.2210.10.65.110.10.65.2
10.10.65.310.10.65.410.10.65.5
10.10.65.6
192.168.10.15 192.168.10.16 192.168.10.17 192.168.10.18
Vlan 1 10.10.65.x
Vlan 2 192.168.10.xLoad Balancer No Fail Over
AD RMS Server
Database Server AD Server
Information Author2
Information Consumer5
1
3
4
1 - Acquire certificates that enroll his or her computer and
domain user account into the AD RMS certificate hierarchy.
2 - After activated, an individual who wants to publish protected
content uses their IRM-supported application to create an issuance
license, also referred to as a publishing license, that specifies who
can use the content and the terms of that use
3 - The encrypted content and the signed issuance license are
then made available for distribution to appropriate consumers
4 - Once activated user has retrieved the signed issuance license, the
IRM-supported application uses it to request an end-user license,
known as a use license, from the AD RMS licensing service
specified in the issuance license. The end-user license contains a list
of rights and conditions that apply to the requesting user.
5 - The IRM-supported application binds to, and enforces,
the rights enumerated in the end-user license and uses the
public key in the issuance license to decrypt the protected
content.
Information Rights Management (IRM)
Restrictions applied to an email message or
documents
Cant copy
Cant save copy
Read only
No printing
Terminology
SLC – server licensor certificate, created when the
AD-RMS role is installed and configured on the 1st
server.
CLC – client licensor certificate, created by cluster
for client request. It gives rights to publish right
protected content.
Machine certificate – this is created on the machine
the 1st time a AD-RMS application is used.
RAC – rights account certificate, establishes the user
ID in the AD-RMS system.
Publishing license – this is created by the client when
content is saved with rights protection.
User license – this specifies the rights that apply to
right protected content.
IRM Process Flow
AD RMS Cluster KeyProtected by crypto service provider
User requests document
Protector for file type ?
Construct issuance license:
Add WSS and user plus library GUID
Is file already protected
Protector creates protected file stream,
accessing RMS encryption via WSS if necessary
Protector creates protected file stream
Protector adds IL and EUL to file stream
Abort downloadSend document to user with current
protection
Send protected file to user
Send file to user in unprotected format
Protector successful ?
YES
YES
NO YES (Integrated)YES (Autonomous)
Major Error
NO
YES
O365 TenantAzure Active Directory
File Server
SharePoint
Exchange
AD Services
ADFS 3.0
Azure AD Directory Sync Tool
Azure RMS
RMS Activated
RMS to Azure AD in Cloud
RMS Connector
AD RMS Server
Database Server AD Server
Information Author
Information Consumer
User License
User License
Publishing License
Publishing License
User License
Use License
Use License
Cluster KeyProtected by crypto service provider