Understanding IRM in an Exchange 2007 Hybrid Deployment
Applies to: Exchange Server 2010 SP2
Information Rights Management (IRM) helps you to protect against leakage of sensitive information by providing persistent online and offline protection of e-mail messages and attachments. Both Exchange 2007, in your on-premises organization, and Exchange Online, in Office 365 for Enterprises, support IRM. However, there are differences between the two implementations, and you must configure IRM in the cloud-based Exchange organization before cloud-based users can use it.
IRM uses Active Directory Rights Management Services (AD RMS), which is a component of Windows Server 2008 R2. AD RMS allows users to create rights-protected content, such as e-mail messages and attachments and then control how that content is used, and to whom it can be distributed. Users can specify templates that determine how content can be used. For example, a user may specify that an e-mail message can't be forwarded to other recipients or that information in the message can't be copied.
Learn more about IRM in Exchange 2007 at: Understanding the AD RMS Prelicensing Agent
Learn more about IRM in Exchange 2010 at: Understanding Information Rights Management
Learn more about AD RMS at: Active Directory Rights Management Services Overview
Learn more about configuring IRM at: Configure IRM in an Exchange 2007 Hybrid Deployment
Differences between IRM in Exchange 2007 and Exchange Online
Exchange Online is based on Exchange 2010, which includes several new IRM features. IRM functionality that's available in your on-premises Exchange 2007 organization is different than the functionality available in your cloud-based Exchange organization. The following table provides a summary of features and functionality available in each organization.
Available IRM features
Feature | Available in Exchange 2007 | Available in Exchange Online |
---|---|---|
Manual protection of messages in Outlook |
Yes |
Yes |
Manual protection of messages in Outlook Web App |
No |
Yes |
View IRM-protected messages in Outlook |
Yes |
Yes |
View IRM-protected messages in Outlook Web App |
Yes (Internet Explorer with Rights Management add-in required) |
Yes |
IRM Pre-licensing agent |
Yes |
Yes |
RMS policy templates |
No |
Yes |
Transport decryption |
No |
Yes |
Journal report decryption |
No |
Yes |
Exchange Search and discovery decryption |
No |
Yes |
Automatic Outlook protection rules |
No |
Yes |
Automatic transport protection rules |
No |
Yes |
Learn more about these features at: Understanding Information Rights Management
IRM in Hybrid Deployments
Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange 2007 servers, the on-premises AD RMS server is used. For your cloud-based Exchange organization, AD RMS servers that are maintained within the Microsoft Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.
AD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the cloud-based Exchange organization. Any AD RMS templates that you've defined aren't automatically copied to the cloud-based organization. If you want the same AD RMS templates to be available in the cloud-based Exchange organization, you must manually export the templates from your on-premises organization and apply them to the cloud-based organization. See the IRM Configuration in Hybrid Deployments section later in this topic.
User Experience
The IRM configuration that's applied to a user depends on the client the user uses and the location of the user's mailbox. The following table shows the AD RMS server a user will use.
Active AD RMS server
Client | On-premises mailbox | Cloud-based mailbox |
---|---|---|
Outlook 2007 or Outlook 2010 |
On-premises AD RMS |
On-premises AD RMS |
Outlook Web App |
On-premises AD RMS |
Cloud-based AD RMS |
ActiveSync device |
On-premises AD RMS |
Cloud-based AD RMS |
It's possible that, depending on the AD RMS configuration you configure in your on-premises and cloud-based organizations, a user who uses Outlook 2007 and Outlook Web App may see different AD RMS templates. For this reason, we strongly recommend that you apply the same templates to both your on-premises and cloud-based organizations.
There should be no difference in the IRM experience for Outlook client users, regardless of whether their mailbox is located in the on-premises or cloud-based organization.
An Outlook Web App user whose mailbox is located on an Exchange 2007 server can only open rights-protected messages after installing the Rights Management for Internet Explorer add-in. They can't reply to or create new rights-protected messages.
An Outlook Web App user whose mailbox is located in the cloud can open rights-protected messages without any additional software and can reply to, and create, new rights-protected messages.
Server Functionality
On-premises Exchange 2007 servers use the AD RMS pre-licensing agent to decrypt rights-protected messages so that users don't need to supply credentials when they open those messages. The on-premises Exchange 2007 server contacts the on-premises AD RMS server to check usage policies and rights, and to request authorization to decrypt the message.
The cloud-based Exchange organization provides several additional IRM-related features that make use of cloud-based AD RMS. These features, such as journal report decryption, make the content of right-protected messages available to Exchange services for additional processing. For example, the decrypted contents of a journaled message can be saved, along with the original rights-protected message, to allow for easier discovery. Additionally, IRM templates can automatically be applied to messages using either Outlook protection rules or transport rules to ensure that messages adhere to organization policies regarding information protection.
IRM Configuration in Hybrid Deployments
IRM in Exchange relies on AD RMS being deployed in the Active Directory forest in which the Exchange server resides. AD RMS configuration isn't automatically synchronized between the on-premises organization and the cloud. You must manually export the AD RMS configuration, known as a trusted publishing domain (TPD), from your on-premises AD RMS server, and import that configuration into the cloud-based Exchange organization. The TPD contains the AD RMS configuration, including templates, which the cloud-based Exchange organization needs to use IRM.
Learn more at: AD RMS Trusted Publishing Domain Considerations
In addition to applying your on-premises AD RMS configuration to the cloud-based Exchange organization, you must ensure that your AD RMS servers can be contacted by Outlook and ActiveSync clients outside of your on-premises network. You must do this if you want these clients to access rights-protected messages outside of your on-premises network.
After you've configured your on-premises network and exported the TPD data, you need to configure the cloud-based Exchange organization by importing the TPD data and enabling IRM.
Note
Any time you modify your on-premises AD RMS configuration, you must manually apply the new configuration in the cloud-based Exchange organization. To do so, export the TPD data from your on-premises AD RMS server and import it into the cloud-based Exchange organization.
Learn more at: Configure IRM in an Exchange 2007 Hybrid Deployment
© 2010 Microsoft Corporation. All rights reserved.