AD RMS Deployment in an Extranet Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

About this Guide

This step-by-step guide walks you through the process of configuring Active Directory Rights Management Services (AD RMS) in a test environment that includes an extranet. An extranet is an extension of your organization's network to an external source. In this guide, the AD RMS cluster is extended to the Internet so that users can consume rights-protected content when not connected to the internal network. During this process, you install Microsoft Internet Security and Acceleration (ISA) Server 2006 Standard Edition, integrate it with AD RMS, and verify that you can open a rights-protected document from a computer that is not a member of your organizational network.

Once complete, you can use the test AD RMS lab environment to assess how AD RMS on Windows Server® 2008 can be created and deployed within your organization to accommodate for extranet users.

As you complete the steps in this guide, you will:

  • Install and configure ISA Server 2006 Standard Edition with AD RMS.

  • Verify AD RMS functionality after you complete the configuration.

Note

ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP ports 80 and 443 can be used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.

What This Guide Does Not Provide

This guide does not provide the following:

  • Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured for a test environment. For more information about configuring AD RMS, see the Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134).

  • Complete technical reference for AD RMS or Microsoft ISA Server 2006 Standard Edition. For more information about Microsoft ISA Server 2006 Standard Edition, visit the ISA Server 2006 Technical Library (https://go.microsoft.com/fwlink/?LinkId=90738).

Deploying AD RMS in a Test Environment

We recommend that you use the steps provided in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide" before completing the steps in this guide. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional documentation and should be used with discretion as a stand-alone document.

Upon completion of this Step-by-Step guide, you will have a working AD RMS test lab environment configured for use in an extranet scenario. You can then test and verify AD RMS extranet functionality through the simple task of restricting permissions on a Microsoft Office Word 2007 document and attempting to open this document from a client computer that is not part of your organization's network.

The test environment described in this guide includes six computers that use the following operating systems, applications, and services:

Note

You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-enabled extranet client.

Computer Name Operating System Applications and Services

ADRMS-SRV

Windows Server 2008

AD RMS, Internet Information Services (IIS) 7.0, Message Queuing, and Windows Internal Database

CPANDL-DC

Windows Server 2003 with Service Pack 1 (SP1)

Active Directory, Domain Name System (DNS)

ADRMS-DB

Windows Server 2003 with SP1

Microsoft SQL Server™ 2005 Standard Edition

ISA-SRV

Windows Server 2003 with SP1

Note
This computer must have two network adapters so that ISA Server 2006 can distinguish between the public and private IP addresses.

Microsoft ISA Server 2006 Standard Edition

ADRMS-CLNT

Windows Vista®

Microsoft Office Word 2007 Enterprise Edition

ADRMS-EXCLNT

Windows Vista

Microsoft Office Word 2007 Enterprise Edition

The first five computers in the table form a private intranet and are connected through a common hub or Layer 2 switch. Additionally, ISA-SRV has a second network adapter installed that is exposed to the Internet. This allows for the ISA Server to accept requests from the Internet and forward them to the AD RMS server. ADRMS-EXCLNT is a computer that is not part of the same network. This configuration can be emulated in a virtual server environment if desired.

This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. ADRMS-EXCLNT is configured with an IP address of 10.0.100.2/24 in order to simulate a client computer on an extranet. The following figure shows the configuration of the test environment:

Note

In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet users the ability to consume rights-protected content.