RMS FAQ: Internal and External Access

Updated: November 22, 2006

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Internal and External RMS Access FAQ

What changes do I have to make to my firewall to allow RMS clients outside the firewall to access RMS servers?

The firewall must allow outside computers to make Simple Object Access Protocol (SOAP) requests to the RMS server over HTTP (TCP port 80) or over HTTPS (TCP port 443).

How does the extranet scenario work?

Two URLs are contained in the publishing license bound to content. One is the intranet URL that is set when the RMS cluster is provisioned. The second is an extranet URL that can be set by the RMS administrator. This extranet URL allows the client to obtain use licenses outside the firewall. The extranet URL cannot be used for creating new rights-protected content. In that case, an RMS client registry override is required.

If a user creates rights-protected content and gives it to someone who does not have access to the RMS installation, can the recipient use the content?

If the user does not have a connection to the RMS installation when the protected content is first opened, the user cannot use the content.

Note that Office 2003 and later automatically obtains use licenses for rights-protected e-mail when it synchronizes so the e-mail can be read without a network connection. However, while Outlook 2003 and later will automatically cache use licenses for an e-mail, any Excel 2007, Excel 2003, Word 2007, Word 2003, PowerPoint 2007, and PowerPoint 2003 documents attached to the e-mail will have the same rights assigned as those of the e-mail carrying them. They do not automatically synchronize when the e-mail is downloaded and must be opened individually when the computer is attached to the network to obtain a use license.

If I use Outlook 2003 or Outlook 2007 to send a protected e-mail to one of my customers, what do they require to read the mail?

The recipient either needs to be using Outlook 2003, Outlook 2007 or the Rights Management Add-On with Internet Explorer. If the recipient’s organization has established a trust relationship between its RMS installation and yours, to the recipient can read the e-mail without additional steps. The trust relationship is established by exchanging RMS server licensor certificates, which contain their respective public keys.

If the recipient’s organization does not have an RMS infrastructure or no trust relationship is established, you can ask your customer to establish a Windows Live ID and then send the e-mail to the recipient by specifying rights assigned to the customer’s Windows Live ID credentials. This approach uses the Microsoft IRM Service available on the Internet to obtain a use license. The IRM Service is provided free of charge to allow people to use IRM on a trial basis and is intended for testing RMS only. If you choose to protect content using this service, please be aware that it might be discontinued without notice in the future.

If organizations have their own RMS servers, how can they exchange rights-protected content?

RMS uses trusted user domains whereby user certificates generated by one RMS installation are trusted by another.

When sending an e-mail that has been protected with RMS to an outside organization that does not support Outlook, can the recipient reply to an e-mail that is read by using Right Management Add-On with Internet Explorer?

The e-mail recipient can reply to a rights-protected e-mail just as with any e-mail, but the original body of the received e-mail will remain rights-protected to its original recipients. How that e-mail is packaged is determined by the client application. The original e-mail could be attached to the reply as an encrypted attachment or it could be removed altogether, as Outlook 2003 or Outlook 2007 does for example.

Community Additions