none
AD RMS - work with IAG/UAG? RRS feed

  • Question

  • We are looking into the possibility of implementing AD RMS working with SharePoint through our IAG (UAG in test at this point).  Has anyone implemented RMS in this fashion and, if so, how difficult was it?

     

    Thanks,

     

    Thursday, May 13, 2010 5:48 PM

Answers

  • RMS is not supported out of the box in UAG.

    However in saying that i will be looking into this next week for a client, Will let you know if i get it working.

    • Proposed as answer by braden Voigt Thursday, May 13, 2010 11:59 PM
    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:46 PM
    Thursday, May 13, 2010 11:55 PM

All replies

  • RMS is not supported out of the box in UAG.

    However in saying that i will be looking into this next week for a client, Will let you know if i get it working.

    • Proposed as answer by braden Voigt Thursday, May 13, 2010 11:59 PM
    • Marked as answer by Erez Benari Wednesday, May 19, 2010 11:46 PM
    Thursday, May 13, 2010 11:55 PM
  • As long as the clients that are running remotely can get to the licensing server and have the correct AD RMS certificates (Machine, RAC and CLC) then I can't see a issue with running this through UAG.

    The problem as I see it would be if you were going to be doing this from a non-corporate domain connected machine, how would the client get the AD RMS certificates.

    Very interesting and I'll have a look into what can be done

    Friday, May 14, 2010 1:05 PM
  • We've been proofing this for a little while.

    MSFT has a good guide on publishing RMS through ISA (http://technet.microsoft.com/en-us/library/cc732653(WS.10).aspx), though in theory it should work with UAG similarly we've run into some issues.

    Publishing the licensing pipeline anonymously (anon is required for 'extranet'/non-domain/TUD/TPD access) works without issue.  You do have to disable a number of features in the trunk though, including endpoint detection and a few other small settings.  You also need to disable URL verification in the application (or create your own custom URL Set for RMS).

    Where we ran into issues is publishing the authenticated certification pipeline.  Even with pre-authentication disabled on the trunk, it appears the authentication requests get mangled by UAG RTM (we had this working with IAG/UAG beta using BASIC trunks, which are now gone).

    Our plan is to dig deeper and see if we can resolve the certification stuff.  I'd love to see a RMS wizard in UAG (similar to AD FS), or at least it added to the supportability scenarios (with a handy Technet article to go along with it).

    It'd be great to keep this thread going and see if we can come up with a collaborative solution for this.  I'll post some more details as soon as I get them.

    Thanks,

    David

    Friday, May 14, 2010 1:34 PM