Friday, 11 November 2011

Deploying Active Directory Rights Management Services in an Extranet Step-by-Step Guide





Deploying Active Directory Rights Management Services in an Extranet Step-by-Step Guide


Microsoft Corporation
Published: May 2007
Author: Brian Lich
Editor: Carolyn Eller

Abstract

This step-by-step guide provides instructions for setting up an Active Directory Rights Management Services (AD RMS) cluster from an extranet in a test environment on Windows Server® 2008. The extranet will be verified by attempting to open a rights-protected file from a client computer that is not on the organization's internal network.



This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, MS-DOS, Vista, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


Contents


Deploying Active Directory Rights Management Services in an Extranet Step-by-Step Guide 5
About this Guide 5
What This Guide Does Not Provide 5
Deploying AD RMS in a Test Environment 6
Step 1: Configuring AD RMS to Work in an Extranet 8
Step 2: Installing and Configuring ISA-SRV 10
Configure the ISA Server (ISA-SRV) 10
Publish AD RMS cluster to extranet 13
Step 3: Configuring AD RMS Extranet Client 15
Step 4: Verifying AD RMS Functionality using ADRMS-CLNT 18

Deploying Active Directory Rights Management Services in an Extranet Step-by-Step Guide             


About this Guide

This step-by-step guide walks you through the process of configuring Active Directory Rights Management Services (AD RMS) in a test environment that includes an extranet. An extranet is an extension of your organization's network to an external source. In this guide, the AD RMS cluster is extended to the Internet so that users can consume rights-protected content when not connected to the internal network. During this process, you install Microsoft Internet Security and Acceleration (ISA) Server 2006 Standard Edition, integrate it with AD RMS, and verify that you can open a rights-protected document from a computer that is not a member of your organizational network.
Once complete, you can use the test AD RMS lab environment to assess how AD RMS on Windows Server® 2008 can be created and deployed within your organization to accommodate for extranet users.
As you complete the steps in this guide, you will:
Install and configure ISA Server 2006 Standard Edition with AD RMS.
Verify AD RMS functionality after you complete the configuration.Note
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP ports 80 and 443 can be used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.

What This Guide Does Not Provide

This guide does not provide the following:
Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured for a test environment. For more information about configuring AD RMS, see the Windows Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134).
Complete technical reference for AD RMS or Microsoft ISA Server 2006 Standard Edition. For more information about Microsoft ISA Server 2006 Standard Edition, visit the ISA Server 2006 Technical Library (http://go.microsoft.com/fwlink/?LinkId=90738).

Deploying AD RMS in a Test Environment

We recommend that you use the steps provided in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide" before completing the steps in this guide. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional documentation and should be used with discretion as a stand-alone document.
Upon completion of this Step-by-Step guide, you will have a working AD RMS test lab environment configured for use in an extranet scenario. You can then test and verify AD RMS extranet functionality through the simple task of restricting permissions on a Microsoft Office Word 2007 document and attempting to open this document from a client computer that is not part of your organization's network.
The test environment described in this guide includes six computers that use the following operating systems, applications, and services:Note
You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-enabled extranet client.
Computer NameOperating SystemApplications and Services
ADRMS-SRVWindows Server 2008AD RMS, Internet Information Services (IIS) 7.0, Message Queuing, and Windows Internal Database
CPANDL-DCWindows Server 2003 with Service Pack 1 (SP1)Active Directory, Domain Name System (DNS)
ADRMS-DBWindows Server 2003 with SP1Microsoft SQL Server™ 2005 Standard Edition
ISA-SRVWindows Server 2003 with SP1Note
This computer must have two network adapters so that ISA Server 2006 can distinguish between the public and private IP addresses.
Microsoft ISA Server 2006 Standard Edition
ADRMS-CLNTWindows Vista™Microsoft Office Word 2007 Enterprise Edition
ADRMS-EXCLNTWindows VistaMicrosoft Office Word 2007 Enterprise Edition


The first five computers in the table form a private intranet and are connected through a common hub or Layer 2 switch. Additionally, ISA-SRV has a second network adapter installed that is exposed to the Internet. This allows for the ISA Server to accept requests from the Internet and forward them to the AD RMS server. ADRMS-EXCLNT is a computer that is not part of the same network. This configuration can be emulated in a virtual server environment if desired.
This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. ADRMS-EXCLNT is configured with an IP address of 10.0.100.2/24 in order to simulate a client computer on an extranet. The following figure shows the configuration of the test environment:
Note
In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet users the ability to consume rights-protected content.

Step 1: Configuring AD RMS to Work in an Extranet             


In addition to the steps outlined in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide," you must also do the following:
Configure the extranet cluster URL in the Active Directory Rights Management Services console.
Export the server authentication certificate, including the private key, on ADRMS-SRV. This will be imported into the Personal certificate store on the ISA server (ISA-SRV).
In order for users who are not connected to your organization's internal network to consume rights-protected content, you must configure the AD RMS extranet cluster URLs. These URLs are included in the AD RMS client licensor certificate and published with all rights-protected content. These URLs should be an address that is available to all computers on the Internet.Note
You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content, the AD RMS-enabled client must download a new client licensor certificate that includes the extranet cluster URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services console. You should follow these steps to accomplish this task:To configure the AD RMS extranet cluster URLs
1. Log on to ADRMS-SRV as CPANDL\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Right-click ADRMS-SRV (Local), and then click Properties.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
6. In the Licensing box, select https://, and then type adrms-srv.cpandl.com.
7. In the Certification box, select https://, and then type adrms-srv.cpandl.com.
8. Click OK.

Next, export the ADRMS-SRV server authentication certificate with its private key. This is required so that ISA-SRV can pass HTTPS requests from ADRMS-EXCLNT to the AD RMS cluster.To export the ADRMS-SRV server authentication certificate with private key
1. Click Start, type mmc.exe, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. Click File, and then click Add/Remove Snap-in.
4. Click Certificates, and then click Add.
5. Select the Computer account option, and then click Next.
6. Click Finish, and then click OK.
7. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates in the console tree.
8. Right-click ADRMS-SRV.cpandl.com, point to All Tasks, and then click Export.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. Select the Yes, export the private key option, and then click Next.
11. On the Export File Format page, click Next, accepting the default selections.
12. In the Password and Type and confirm password boxes, type the same strong password, and then click Next.
13. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, and then click Next.
14. Click Finish.
15. Click OK, confirming that the export was successful.


Step 2: Installing and Configuring ISA-SRV             


ISA Server 2006 Standard Edition is an integrated edge security gateway that can be used with AD RMS to restrict Internet access to the AD RMS cluster. The ISA server handles all requests from the Internet to the AD RMS extranet cluster URLs and passes them to the AD RMS cluster, when necessary.
To install and configure ISA Server 2006 Standard Edition to work with AD RMS, you must complete the following steps:
Configure the ISA Server (ISA-SRV)
Publish AD RMS cluster to extranet

Configure the ISA Server (ISA-SRV)

First, install Windows Server 2003 on a stand-alone server.To install Windows Server 2003, Standard Edition
1. Start your computer by using the Windows Server 2003 product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ISA-SRV.

Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5 and preferred DNS server with IP address 10.0.0.1 on the first network adapter. On the second network adapter, use 10.0.100.1 as the IP address.To configure TCP/IP properties on ISA-SRV
1. Log on to ISA-SRV as a member of the local Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.5. In the Subnet mask box, type 255.255.255.0. In the Preferred DNS server box, type 10.0.0.1.
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
6. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection 2, and then click Properties.
7. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
8. Click the Use the following IP address option. In the IP address box, type 10.0.100.1. In the Subnet mask box, type 255.255.255.0.
9. Click OK, and then click Close to close the Local Area Connection 2 Properties dialog box.

Next, join ISA-SRV to the cpandl.com domain.To join ISA-SRV to the cpandl.com domain
1. Click Start, right-click MyComputer, and then click Properties.
2. Click the Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK, and then click OK again.
6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
9. Click Restart Now.

Next, import the server authentication certificate that contains the private key into the Trusted Certification Authorities store on ISA-SRV.To import the server authentication certificate to the ISA-SRV computer
1. Log on to ISA-SRV with as a member of the local Administrators group.
2. Click Start, click Run, type mmc.exe, and then press ENTER.
3. Click File, and then click Add/Remote Snap-in.
4. Click Add, select Certificates, and then click Add.
5. Select the Computer Account option, click Next, and then click Finish.
6. Click Close, and then click OK.
7. Expand Certificates, and then expand Personal.
8. Right-click Certificates in the console tree, point to All Tasks, and then click Import.
9. On the Welcome to the Certificate Import wizard page, click Next.
10. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, click OK, and then click Next.
11. Type the password used to export the certificate, and then click Next.
12. Click Next, and then click Finish.
13. Click OK confirming that the import was successful.
14. Close the Certificates console.

Finally, install ISA Server 2006 Standard Edition.To install ISA Server 2006 Standard Edition
1. Log on to ISA-SRV as a member of the local Administrators group.
2. Insert the ISA Server 2006 Standard Edition product CD.
3. Click Install ISA Server 2006.
4. On the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page, click Next.
5. Select the I accept the terms in the license agreement option, and then click Next.
6. Type your ISA Server product key in the Product Serial Number box, and then click Next.
7. Select the Typical option, and then click Next.
8. Click Add, click Add Adapter, select the Local Area Connection check box, click OK, and then click OK again.
9. Click Next three times, and then click Install.
10. When the installation is complete, click Finish.
11. Click OK. Read the information if desired, and then close Internet Explorer.
12. Click Exit to close Microsoft ISA Server 2006 Setup.

Publish AD RMS cluster to extranet

ISA Server 2006 Standard Edition requires that a Web listener be configured for a specified port. In this guide, you use TCP port 443 (SSL) in order to help make data transmission secure between the clients and ISA server. In this section, you publish the AD RMS Web site through the ISA server. This involves publishing the AD RMS extranet cluster URL to this ISA Server and then allowing the ISA server to pass the user credentials directly to the AD RMS server. Because a self-signed certificate is used for the AD RMS cluster in this guide, you must move it from the Personal certificate store to the Trusted Certification Root Authorities store.
First, publish the AD RMS cluster on ISA-SRV.To publish AD RMS in ISA Server 2006 Standard Edition
1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ISA-SRV, and then click Firewall Policy.
3. Click the Tasks tab, and then click Publish Web Sites.
4. In the Web publishing rule name box, type AD RMS Extranet, and then click Next.
5. Click Next twice accepting the default selections.
6. Select the Use SSL to connect to the published Web server or server farm option, and then click Next.
7. In the Internal Site Name box, type adrms-srv.cpandl.com.
8. Select the Use a computer name of IP address to connect to the published server check box, type 10.0.0.2 in the Computer name or IP address box, and then click Next.
9. In the Path (optional) box, type /*, select the Forward the original host header instead of the actual one specified in the Internal site name field on the previous page check box, and then click Next.
10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.
11. Click New to create a new Web listener.
12. In the Web listener name box, type HTTPS Port 443, and then click Next.
13. Select the Require SSL secured connections with clients option, and then click Next.
14. Select the External check box, and then click Next.
15. Select the Use a single certificate for this Web listener option, and then click Select Certificate.
16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.
17. In the Select how clients will provide credentials to ISA Server box, select No Authentication, click Next, and then click Next again.
18. Click Finish to close the New Web Listener Wizard.
19. Click Next.
20. Click No delegation, but client may authenticate directly, and then click Next.
21. Click Next to apply this Web publishing rule to all users.
22. Click Finish.
23. Click Apply to save changes and update your configuration, and then click OK.

Finally, move the ADRMS-SRV server authentication certificate from the Personal certificate store to the Trusted Root Certification Authorities store:To move the ADRMS-SRV server authentication certificate
1. Click Start, and then click Run.
2. Type mmc.exe, and then click OK.
3. Click File, and then click Add/Remove Snap-in.
4. Click Add, click Certificates, click Add, select the Computer account option, and then click Next.
5. Click Finish, click Close, and then click OK.
6. Expand Certificates (Local computer), expand Personal, and then expand Trusted Root Certification Authorities.
7. Click Certificates under Personal in the console tree.
8. Select the ADRMS-SRV.cpandl.com certificate in the details pane and drag it to the Certificates folder under Trusted Root Certification Authorities.
9. Close the Certificates console.


Step 3: Configuring AD RMS Extranet Client             


To configure the AD RMS extranet client computer (ADRMS-EXCLNT), you must install Windows Vista, configure TCP/IP properties, create an entry in the local HOSTS file, import the ADRMS-SRV server authentication certificate, and then install an AD RMS enabled application. In this example, Microsoft Office Word 2007 is installed on ADRMS-EXCLNT.To install Windows Vista
1. Start your computer using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-EXCLNT.

Next, configure TCP/IP properties so that ADRMS-EXCLNT has a static IP address of 10.0.100.2.To configure TCP/IP properties
1. Click Start, click Control Panel, click Network and Internet, double-click Network and Sharing Center, click Manage Network Connections in the left pane, right-click Local Area Connection, and then click Properties.
2. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
3. Select the Use the following IP address option. In IP address, type 10.0.100.2, in Subnet mask, type 255.255.255.0.
4. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
5. Close the other open windows and return to the desktop.

In this guide, a test environment without an external DNS server is used. In order for the extranet cluster URLs to resolve to its appropriate IP address, you must create a manual entry in the HOSTS file that points to ISA-SRV.Note
In a production environment, this step is not required because the extranet client computer's Internet Service Provider will handle the DNS resolution.To create an entry in the HOSTS file for AD RMS extranet cluster URL
1. Log on to ADRMS-EXCLNT as a member of the local Administrators group.
2. Click Start, point to All Programs, click Accessories, and then click Notepad.
3. Within Notepad, click File, and then click Open.
4. Navigate to C:\windows\System32\drivers\etc\HOSTS, and then click Open.Note
To show the HOSTS file, when you get to the etc folder you must select All Files (above the Open button).
5. On a new line at the bottom of the file, type 10.0.100.1 adrms-srv.cpandl.com.
6. Save and close the HOSTS file.

Next, import the ADRMS-SRV server authentication certificate into the Trusted Root Certification store on ADRMS-EXCNT. This is only required when using self-signed certificates. In a production environment, the certificate should be trusted by a certification authority.To import the server authentication certificate to the ADRMS-EXCLNT computer
1. Log on to ADRMS-EXCLNT with a user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Address bar, type https://adrms-srv.cpandl.com/_wmcs/licensing/license.asmx, and then press ENTER.
4. On the Certificate Error: Navigation Blocked Web page, click Continue to this website (not recommended).
5. In the User name box, type CPANDL\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
6. In the Address Bar, click Certificate Error, and then click View Certificates.
7. On the Certificate Information page, click Install Certificate.
8. On the Welcome to the Certificate Import Wizard page, click Next.
9. Select the Place all certificates in the following store option, click Browse, click Trusted Root Certification Authorities, and then click OK.
10. Click Next, and then click Finish.
11. Click Yes, accepting the security warning. This only happens because self-signed certificates are used.
12. Click OK, confirming that the certificate import was successful.
13. Click OK to close the Certificate Information window.
14. Close Internet Explorer.

Finally, install Microsoft Office Word 2007 Enterprise.To install Microsoft Office Word 2007 Enterprise
1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.
*Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow you to consume rights-protected content.

Step 4: Verifying AD RMS Functionality using ADRMS-CLNT             


To verify the functionality of the AD RMS deployment, you will log on to ADRMS-CLNT as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document so that Stuart Railson is only able to read the document but unable to change, print, or copy. You will then copy this document to a removable device (for example, a USB flash drive) and log on to a client computer that is not part of the organizational network, such as a home computer. In this example, ADRMS-EXCLNT serves as the home computer. After the file is copied to the USB flash drive, Stuart Railson logs on to the extranet client computer (ADRMS-EXCLNT) and verifies that he is able to open the rights-protected document from the USB flash drive.Note
A USB flash drive is not required in this scenario. Any means of getting the document to the extranet client computer will work, such as attaching the document to an e-mail message and sending it to Stuart. In that example, Stuart would then open the document contained in the e-mail message on the extranet client computer.
Use the following steps to restrict permissions on a Microsoft Word document:To restrict permissions on a Microsoft Word document
1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\nhollida).
2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type This is a test of AD RMS Extranet functionality.into the blank document page, click the Microsoft Office Button, point to Prepare, point to Restrict Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read box, type srailson@cpandl.com, and then click OK to close the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.
7. Copy ADRMS-TST.docx to a USB flash drive.
8. Log off as Nicole Holliday.

Finally, open the document, ADRMS-TST.docx, on ADRMS-EXCLNT from the USB flash drive.To view a protected document
1. Log on to ADRMS-EXCLNT with the local user account that you want to use for consuming the rights-protected document. Caution
Once this document has been consumed, any other user who logs on to the computer with the same user account will also be able to consume the document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "You are attempting to send information to an Internet site (https://adrms-srv.cpandl.com) that is not in your Local, Intranet, or Trusted zones. This could pose a security risk. Do you want to send the information anyway?"
5. Click Yes.
The following message appears: "Verifying your credentials for opening content with restricted permissions…".
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Click View Permission in the message bar. You can see that srailson@cpandl.com (Stuart Railson) has been restricted to so that he can only read the document.
8. Click OK to close the My Permissions dialog box, and then close Microsoft Word.

You have successfully deployed and demonstrated the functionality of AD RMS in an extranet, using the simple scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

No comments: