Changing AD RMS Proxy Settings

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

If you control access to resources outside of the local forest by a Web proxy server, you may need to configure Active Directory Rights Management Services (AD RMS) to use the proxy in some scenarios. Situations that require this are the following:

  • You are trusting rights account certificates (RACs) from Windows Live ID users.

    When you select to trust Windows Live ID sites and services as one of your trusted user domains, the AD RMS cluster needs to be able to validate the user against Windows Live ID sites and services.

  • You have multiple forests in your organization that are separated by a Web proxy server, and you have established trusts across those forests.

    This is similar to the scenario with Windows Live ID in that the registry of user accounts that the AD RMS cluster must validate against is behind the Web proxy server.

If your AD RMS cluster does not need to negotiate a connection through a proxy server, you do not need to configure these settings. If the proxy server authenticates users before allowing outbound access, you must provide a user account that AD RMS can use when challenged for credentials by the proxy server.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To change AD RMS proxy settings

  • To require a proxy server and optionally set proxy settings, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name IsProxyRequired -Value $true -ProxyAddress <proxy_URL> [-ProxyBypassLocalAddress $true] [-ProxyBypassFilter “<filter_string>] [-ProxyAuthenticationScheme <authentication_type> -ProxyAuthenticationCredential [[<domain>\]<user_name>]]

    where

    • <drive> is the name of the Windows PowerShell drive.

    • <proxy_URL> is the address and port of the proxy server, for example, https://proxysrvr:80.

    • <filter_string> is a list of addresses that should not go through the proxy server.

    • <authentication_type> is the authentication type used to connect to the proxy server and must be one of the following: Basic, Digest, or WindowsIntegrated.

    • <domain> and <user_name> are the domain and user name of the account used to authenticate to the proxy server. If you specify -ProxyAuthenticationCredential with the domain and user name, you are prompted for the password of the account. If you specify -ProxyAuthenticationCredential without the domain and user name on the command line, you are prompted for the domain, user name, and password. The domain is not required if the authentication type is set to WindowsIntegrated.

  • When IsProxyRequired is set to True, to allow or prevent addresses without fully-qualified domain names (FQDNs) from connecting to the proxy server, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name ProxyBypassLocalAddress -Value {$true|$false}

    where <drive> is the name of the Windows PowerShell drive.

  • When IsProxyRequired is set to True, to specify addresses that should not go through the proxy server, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name ProxyBypassFilter -Value “ <filter_string>

    where

    • <drive> is the name of the Windows PowerShell drive.

    • <filter_string> is a list of addresses that should not go through the proxy server.

  • When IsProxyRequired is set to True, to require proxy authentication, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name IsProxyAuthenticationRequired -Value $true -ProxyAuthenticationScheme <authentication_type> -ProxyAuthenticationCredential [[<domain>\]<user_name>]]

    where

    • <drive> is the name of the Windows PowerShell drive.

    • <authentication_type> is the authentication type used to connect to the proxy server and must be one of the following: Basic, Digest, or WindowsIntegrated.

    • <domain> and <user_name> are the domain and user name of the account used to authenticate to the proxy server. If you specify -ProxyAuthenticationCredential with the domain and user name, you are prompted for the password of the account. If you specify -ProxyAuthenticationCredential without the domain and user name on the command line, you are prompted for the domain, user name, and password. The domain is not required if the authentication type is set to WindowsIntegrated.

  • When IsProxyAuthenticationRequired is set to True, to specify the authentication type, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name ProxyAuthenticationScheme -Value <authentication_type> -ProxyAuthenticationCredential [[<domain>\]<user_name>]]

    where

    • <drive> is the name of the Windows PowerShell drive.

    • <authentication_type> is the authentication type used to connect to the proxy server and must be one of the following: Basic, Digest, or WindowsIntegrated.

    • <domain> and <user_name> are the domain and user name of the account used to authenticate to the proxy server. If you specify -ProxyAuthenticationCredential with the domain and user name, you are prompted for the password of the account. If you specify -ProxyAuthenticationCredential without the domain and user name on the command line, you are prompted for the domain, user name, and password. The domain is not required if the authentication type is set to WindowsIntegrated.

  • When IsProxyRequired is set to True, to no longer require a proxy server, at the Windows PowerShell prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name IsProxyRequired -Value $false

    where <drive> is the name of the Windows PowerShell drive.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Configuring AD RMS Cluster Properties