Appendix A: Making AD RMS Available on the Internet
Updated: July 15, 2011
Applies To: Windows Server 2008, Windows Server 2008 R2
An essential feature of any deployment of Active Directory Rights Management Services (AD RMS) for collaboration with external organizations is the ability to access the AD RMS infrastructure from outside your organization’s network, that is, from the Internet.
To acquire a certificate or a license for rights-protected content, a user must contact the AD RMS cluster. This implies that the AD RMS client communicates with the cluster across any firewall between the cluster and the client. This is ordinarily not a problem because communication between the client and the cluster occurs through ports 80 (HTTP) and 443 (HTTPS), which are widely accepted for publishing services to the Internet. Additionally, the cluster must be able to access the database server and the directory servers, which are accessed through a more extensive set of protocols and ports.
There are four basic architectures that provide access to AD RMS clusters from the Internet:
Host all of the AD RMS servers (root and licensing-only servers) in a perimeter network and configure them to access the directory services servers, which are hosted in the core network.
Host an AD RMS licensing-only cluster in a perimeter network and configure it to access the directory services servers and the AD RMS root server, which are hosted in the core network.
Host AD RMS servers, together with domain controllers to service them, in a perimeter network.
Host all of the AD RMS servers in the core network and publish them to the Internet through a reverse proxy, by using a product such as Internet Security and Acceleration (ISA) Server.
The four architectures are discussed in detail in the following topics: