部署 Azure Rights Management 连接器Deploying the Azure Rights Management connector

适用于Azure 信息保护、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012***Applies to: Azure Information Protection, Windows Server 2019, 2016, Windows Server 2012 R2, Windows Server 2012*

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

利用此信息了解 Azure 权限管理连接器,并了解如何为组织成功部署该连接器。Use this information to learn about the Azure Rights Management connector, and then how to successfully deploy it for your organization. 此连接器为使用 Microsoft Exchange Server、SharePoint Server 或运行 Windows Server 和文件分类基础结构 (FCI) 的文件服务器的现有本地部署提供数据保护。This connector provides data protection for existing on-premises deployments that use Microsoft Exchange Server, SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI).

Microsoft 权限管理连接器概述Overview of the Microsoft Rights Management connector

借助 Microsoft Rights Management (RMS) 连接器,你可以迅速让现有本地服务器将信息权限管理 (IRM) 功能用于基于云的 Microsoft Rights Management 服务 (Azure RMS)。The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). 使用此功能,IT 部门和用户能够轻松地保护组织内部和外部的文档和图片,既无需安装其他基础结构,也无需建立与其他组织的信任关系。With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations.

RMS 连接器是一种占用内存小的服务,可在运行 Windows Server 2016、Windows Server 2012 R2 和 Windows Server 2012 的服务器上进行本地安装。The RMS connector is a small-footprint service that you install on-premises, on servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. 除了在物理计算机上运行连接器之外,你也可以在虚拟机(包括 Azure IaaS VM)上运行它。In addition to running the connector on physical computers, you can also run it on virtual machines, including Azure IaaS VMs. 部署连接器后,它将充当本地服务器和云服务之间的通信接口(一种中继),如下图所示。After you deploy the connector, it acts as a communications interface (a relay) between the on-premises servers and the cloud service, as shown in the following picture. 箭头表示网络连接启动的方向。The arrows indicate the direction in which network connections are initiated.

RMS 连接器体系结构概述

支持的本地服务器On-premises servers supported

RMS 连接器支持下列本地服务器:Exchange Server、SharePoint Server,以及运行 Windows Server 并使用文件分类基础结构来进行分类并将策略应用于文件夹内 Office 文档的文件服务器。The RMS connector supports the following on-premises servers: Exchange Server, SharePoint Server, and file servers that run Windows Server and use File Classification Infrastructure to classify and apply policies to Office documents in a folder.

备注

如果想要通过使用文件分类基础结构保护多个文件类型(不仅是 Office 文档),请勿使用 RMS 连接器,而是使用 AzureInformationProtection cmdletIf you want to protect multiple file types (not just Office documents) by using File Classification Infrastructure, do not use the RMS connector, but instead, use the AzureInformationProtection cmdlets.

有关这些受 RMS 连接器支持的本地服务器的版本,请参阅支持 Azure RMS 的本地服务器For the versions of these on-premises servers that are supported by the RMS connector, see On-premises servers that support Azure RMS.

支持混合方案Support for hybrid scenarios

可以在混合方案中使用 RMS 连接器,即使一些用户连接到了在线服务。You can use the RMS connector even if some of your users are connecting to online services, in a hybrid scenario. 例如,一些用户的邮箱使用 Exchange Online,一些用户的邮箱使用 Exchange Server。For example, some users' mailboxes use Exchange Online and some users' mailboxes use Exchange Server. 安装 RMS 连接器后,所有用户都可以使用 Azure RMS 保护和使用电子邮件和附件,并且信息保护在两套部署配置中无缝合作。After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

支持由客户管理密钥 (BYOK)Support for customer-managed keys (BYOK)

如果你自行管理 Azure RMS 的租户密钥(自带密钥,即 BYOK 方案),RMS 连接器和使用该连接器的本地服务器不会访问包含你的租户密钥的硬件安全模块 (HSM)。If you manage your own tenant key for Azure RMS (the bring your own key, or BYOK scenario), the RMS connector and the on-premises servers that use it do not access the hardware security module (HSM) that contains your tenant key. 这是因为,使用租户密钥的所有加密操作都是在 Azure RMS 中执行的,而不是在在本地。This is because all cryptographic operations that use the tenant key are performed in Azure RMS, and not on-premises.

若要详细了解管理租户密钥的此方案,请参阅计划和实现 Azure 信息保护租户密钥If you want to learn more about this scenario where you manage your tenant key, see Planning and implementing your Azure Information Protection tenant key.

RMS 连接器的必备组件Prerequisites for the RMS connector

在安装 RMS 连接器之前,请确保符合以下要求。Before you install the RMS connector, make sure that the following requirements are in place.

要求Requirement 更多信息More information
激活保护服务The protection service is activated 从 Azure 信息保护激活保护服务Activating the protection service from Azure Information Protection
本地 Active Directory 林和 Azure Active Directory 之间的目录同步Directory synchronization between your on-premises Active Directory forests and Azure Active Directory RMS 激活之后,必须将 Azure Active Directory 配置为用于 Active Directory 数据库中的用户和组。After RMS is activated, Azure Active Directory must be configured to work with the users and groups in your Active Directory database.

重要提示:要使 RMS 连接器正常工作,你必须执行此目录同步步骤,即使对于测试网络,也是如此。Important: You must do this directory synchronization step for the RMS connector to work, even for a test network. 尽管可以通过在 Azure Active Directory 中手动创建的帐户来使用 Microsoft 365 和 Azure Active Directory,但此连接器要求 Azure Active Directory 中的帐户与 Active Directory 域服务同步;手动密码同步还不够。Although you can use Microsoft 365 and Azure Active Directory by using accounts that you manually create in Azure Active Directory, this connector requires that the accounts in Azure Active Directory are synchronized with Active Directory Domain Services; manual password synchronization is not sufficient.

有关更多信息,请参见以下资源:For more information, see the following resources:

- 将本地 Active Directory 域与 Azure Active Directory 集成- Integrate on-premises Active Directory domains with Azure Active Directory

- 混合标识目录集成工具比较- Hybrid Identity directory integration tools comparison
在最少两台成员计算机上安装 RMS 连接器:A minimum of two member computers on which to install the RMS connector:

- 64 位物理或虚拟计算机,运行以下操作系统之一:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012。- A 64-bit physical or virtual computer running one of the following operating systems: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012.

- 至少 1 GB 的 RAM。- At least 1 GB of RAM.

- 至少 64 GB 的磁盘空间。- A minimum of 64 GB of disk space.

- 至少一个网络接口。- At least one network interface.

- 通过防火墙(或 Web 代理)访问 Internet,无需进行身份验证。- Access to the internet via a firewall (or web proxy) that does not require authentication.

- 必须位于某个林或域中,而该林或域信任组织内的其他林(包含要用于 RMS 连接器的 Exchange 或 SharePoint 服务器安装)。- Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector.
为了实现容错和高可用性,你必须在至少两台计算机上安装 RMS 连接器。For fault tolerance and high availability, you must install the RMS connector on a minimum of two computers.

提示:如果你正在使用 Outlook Web Access 或装有 Exchange ActiveSync IRM 的移动设备,并且你必须保持对 Azure RMS 保护的电子邮件和附件的访问权限,则我们建议你部署一组负载平衡的连接器服务器,以确保高可用性。Tip: If you are using Outlook Web Access or mobile devices that use Exchange ActiveSync IRM and it is critical that you maintain access to emails and attachments that are protected by Azure RMS, we recommend that you deploy a load-balanced group of connector servers to ensure high availability.

你不需要专用服务器来运行连接器,但必须在将要使用连接器的服务器之外的独立计算机上安装连接器。You do not need dedicated servers to run the connector but you must install it on a separate computer from the servers that will use the connector.

重要提示:如果你希望在使用这些服务提供的功能时运行 Azure RMS,请不要将连接器安装在运行 Exchange Server、SharePoint Server 或文件服务器(已针对文件分类基础结构进行配置,前提是你希望将这些服务提供的功能用于 Azure RMS)的计算机上。Important: Do not install the connector on a computer that runs Exchange Server, SharePoint Server, or a file server that is configured for file classification infrastructure if you want to use the functionality from these services with Azure RMS. 此外,请不要在域控制器上安装此连接器。Also, do not install this connector on a domain controller.

如果有想要用于 RMS 连接器的服务器工作负载,但其服务器所在的域不被要在其中运行连接器的域所信任,则可以在这些不受信任的域或其林中的其他域中安装附加 RMS 连接器服务器。If you have server workloads that you want to use with the RMS connector but their servers are in domains that are not trusted by the domain from which you want to run the connector, you can install additional RMS connector servers in these untrusted domains or other domains in their forest.

可以为组织运行的连接器服务器的数量没有限制,并且在一个组织中安装的所有连接器服务器共享相同的配置。There is no limit to the number of connector servers that you can run for your organization and all connector servers installed in an organization share the same configuration. 但是,若要配置连接器来授权服务器,必须能够浏览想要授权的服务器或服务帐户,这意味着必须在可从其中浏览这些帐户的林中运行 RMS 管理工具。However, to configure the connector to authorize servers, you must be able to browse for the server or service accounts you want to authorize, which means that you must run the RMS administration tool in a forest from which you can browse those accounts.

部署 RMS 连接器的步骤Steps to deploy the RMS connector

连接器不会自动检查成功部署所需的所有必备组件,因此请务必准备好这些必备组件再开始。The connector does not automatically check all the prerequisites that it needs for a successful deployment, so make sure that these are in place before you start. 部署要求安装连接器、配置连接器,然后配置要使用此连接器的服务器。The deployment requires you to install the connector, configure the connector, and then configure the servers that you want to use the connector.

后续步骤Next steps

转到步骤 1:安装并配置 Azure Rights Management 连接器Go to Step 1: Installing and configuring the Azure Rights Management connector.