locked
Publishing an AD RMS extranet URL using UAG 2010 RRS feed

  • Question

  • Hi,

    I wonder about the requirements for Publishing an AD RMS extranet url using UAG, do I need to have the AD RMS extranet URL point to the same public IP to which the UAG portal trunk points? also how to test functionality of AD RMS from internet after publishing? can we consider this link is all what I need: http://technet.microsoft.com/en-us/library/gg313778.aspx , can I then protect office documents while I am connected to the public internet?


    Wednesday, April 13, 2011 2:03 PM

Answers

  • Thank you Darth, I appreciate your support. I have published AD RMS on TMG and it works fine. I did the steps you mentioned earler for testing and it worked !
    • Marked as answer by AhmadJY Tuesday, April 19, 2011 10:54 AM
    Tuesday, April 19, 2011 10:54 AM

All replies

  • This is what I have:

    1. Two Win2k8 R2 AD RMS servers, internal cluster is https://THCRMS.xxx.com.sa and extranet url is https://THCRMS.xxx.com  

    2. Two UAG 2010 SP1 severs and one trunk configured to publish SharePoint 2010 and AD RMS.

    I published the AD RMS on the UAG trunk with the following settings in the web servers tab:

    Addresses: THCRMS

    Paths (listed by default): /_wmcs/Certification

                                        /_wmcs/decommission

                                       /_wmcs/groupexpansion

                                       /_wmcs/licensing

                                       /_wmcs/LicensingWS

                                       /_wmcs/CertificationWS 

    HTTPs Port: 443

    Public host name: THCRMS.xxx.com

    the application URL is https://THCRMS.xxx.com/_wmcs/Certification/ in the portal link tab

    They have xxx.com and xxx.com.sa as external domain also, I registered THCRMS.xxx.com.sa and THCRMS.xxx.com public IP to point to the the same public IP of the UAG portal trunk. The public SAN certificte I have on AD RMS servers is the same on UAG trunk and it has alternatives for xxx.com and xxx.com.sa records.  I restricted access to a word document against my internal AD RMS url https://THCRMS.xxx.com.sa then I sent it to a user to try to access it from internet. When the document opens it tries to connect to https://THCRMS.xxx.com.sa/_wmcs/licensing with no luck, knowing that the AD RMS extranet URL is https://THCRMS.xxx.com.

    Not sure what I am missing. Anyone have an idea?

    Sunday, April 17, 2011 11:51 AM
  • Hi Ahmad,

    3 quick points on your deployment ...

    1. Do you want to authenticate the users coming from the Internet to access the RMS server by first signing in to the UAG portal? If so, then you need to  remove Public IP and DNS resolution entries for THCRMS.xxx.com and THCRMS.xxx.com.sa to the the same public IP of the UAG portal trunk. Just create normal trunk and follow the procedure in the technet article. As the users once authenticated to the trunk will be authenticated to the RMS and all traffic will be treated as if internal to domain.
    2. Or do you want to authenticate the users directly to the RMS servers? If so, then you need to create a New trunk, load new DMZ IP address on external NIC of UAG and have the public IP of extranet URL to be NAT'ed to the DMZ IP. Plus THCRMS.xxx.com.sa  should NOT be resolvable from the Internet.
    3. On your comment above " ...I restricted access to a word document against my internal AD RMS url https://THCRMS.xxx.com.sa then I sent it to a user to try to access it from internet. When the document opens it tries to connect to https://THCRMS.xxx.com.sa/_wmcs/licensing with no luck, knowing that the AD RMS extranet URL is https://THCRMS.xxx.com"  This is because the client is provisioned from earlier days, and you probably added the Extranet URL to the configuration afterwards. Need to flush the RMS Client settings by clearing the DRM folder and should access via first the internal URL then try the external one. You can double check by trying to open the protected document in notepad and searching the URLs inside.

    Hope this helps :)


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent


    Sunday, April 17, 2011 5:02 PM
  • Hi Darth,

    I want to authenticate the users directly to the RMS servers, when the user opens a word document protected using RMS from internet he or she should be able to authenticate directly to the RMS servre; I suppose this requires publishing AD RMS on either TMG or UAG. I am not sure why do I need a didcated UAG trunk for this like what you mentioned as this requires and additional public IP for the trunk. Also, xxx.com.sa is a public DNS zone like xxx.com that's why i registered the extranet url for both with the same IP of my current UAG trunk.

    what do you think? shall I publish it on TMG and wht are the steps?

    Sunday, April 17, 2011 7:08 PM
  • Yes via TMG the publishing would be much more straight forward.

    Need to create a webserver publishing rule for THCRMS.xxx.com (with a Listener on port 443) to RMS server. Nothing that is too fancy, just ensure that the SSL certificate is from a Commerical CA and the subject name matches the publishing URL.

    Publishing Overview:

    http://technet.microsoft.com/en-us/library/dd996632(WS.10).aspx

     


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Sunday, April 17, 2011 7:58 PM
  • Thank you, this means that I can publish THCRMS.xxx.com via TMG with one SSL web server publishing access rule, right? and this requires me to do the following:

    1. Register THCRMS.xxx.com with a public IP other than the one used now for UAG trunk, remove the public ip entry fr THCRMS.xxx.com.sa (although xxx.com.sa is also a public DNS zoon)

    2. Import the public certificate I have now installed on AD RMS server into the TMG servers local certificate store. The common name of the SAN certificate is THCRMS.xxx.com and it has many alternatives one of them is THCRMS.xxx.com.sa

    3. Create a publishing rule on TMG to publish the source https://THCRMS.xxx.com.sa to https://THCRMS.xxx.com

    However, I read the folling in the link you sent me:

    In order to selectively enable or disable access to AD RMS functionality from the client, the AD RMS pipeline URLs must be published individually by the ISA server (as opposed to publishing the parent path shared by all AD RMS pipeline URLs). Available pipelines that are typically published externally include the following:

    Certification pipeline

    • Published through the path /_wmcs/Certification/Certification.asmx

    • Called when a user needs to request or renew a rights account certificate (RAC)

    • Default permissions should be kept, which causes users to be prompted for domain credentials when they access the service externally. Default permissions also provide temporary RACs to users on computers not managed by the organization’s IT department.

    Licensing pipeline

    • Published through the path /_wmcs/Licensing/License.asmx

    • Called when a user requests an end-user license (UL/EUL).

    • Anonymous access can be safely granted on this pipeline, if necessary, to issue licenses to external users

    How this will be reflected in my publishing rule?

    Last but not least, how to test functionality of AD RMS extranet url?

    Thanks again



    Sunday, April 17, 2011 8:58 PM
  • Hi Ahmad,

    Basically mean on the PATHS tab need to include these two:

     /_wmcs/Licensing/*

    /_wmcs/Certification/*

    And on the listener Authentication use Basic & Integrated with Authentication delegation set to "no delegation, but clients can authenticate directly"

    For testing ....

    • Protect a document on the internal network and copy to a USB
    • Move to a workstation PC (win 7 or vista) connected to the internet directly
    • open the document ... should have a prompt for RMS intialization and authentication box for userid +password

    Also review AD RMS Deployment in an Extranet Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc753490(WS.10).aspx

     


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Monday, April 18, 2011 7:44 AM
  • Thank you Darth, what do you recommend regarding the extranet URL, shall I keep it https://THCRMS.xxx.com or make it https://THCRMS.xxx.com.sa ?

    Note: both FQDNs are external URLs because both of xxx.com.sa and xxx.com are public DNS zones

    Monday, April 18, 2011 8:16 AM
  • Well it's rather unusal scenario :) as you can keep both.

    But would be preferable to keep it https://THCRMS.xxx.com for Internet Publishing and having THCRMS.xxx.com.sa not to be resolvable from internet


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Monday, April 18, 2011 8:26 AM
  • Thank you Darth, I will try this and let you know my findings :)
    Monday, April 18, 2011 8:31 AM
  • There is one thing I forgot to report, the TMG our client has is configured with one NIC card only,does this affect my plan to publish my extranet AD RMS to internet? what about the web listener?
    Monday, April 18, 2011 9:53 AM
  • Well it's not exactly a recommended configuration of having TMG with single NIC.

    http://technet.microsoft.com/en-us/library/ee796231.aspx#hhht4sdarg4

    But you can still publish RMS using the above with a bit of patience, refer to this discussion link in case you get stuck :)

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/89c51627-e811-4465-ae6a-8e732cd64fa8/#69cc918e-8da8-4e63-9ed0-610cea3044f3


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Monday, April 18, 2011 6:56 PM
  • Thank you Darth, I appreciate your support. I have published AD RMS on TMG and it works fine. I did the steps you mentioned earler for testing and it worked !
    • Marked as answer by AhmadJY Tuesday, April 19, 2011 10:54 AM
    Tuesday, April 19, 2011 10:54 AM
  • Great news .. Cheers

    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Tuesday, April 19, 2011 7:46 PM
  • I have the exact same scenario. I've published the Extranet URL through TMG which appear to be fine. However, my RMS protected Word 2011 document opens and asks to get access to my "INTERNAL" Cluster URL's as well as the External URL's. Basically I get prompted twice by Word when opening an RMS document. Obviously the internal URL isn't accessible and thus the operation fails...

     

    Any ideas?

     

    I could change the internal URL to match the Extranet URL as I do have split brain DNS infrastructure....but I'm not sure why it would be asking me twice...


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    Wednesday, June 8, 2011 8:22 PM
  • @Jason - Getting prompted twice is not a problem, thats normal. But if it fails as the internal URL is not available, is probably due to the RMS Client. Download the RMS Toolkit SP2 on the PC and run the IRMCheck tool and post the results back for review.


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Wednesday, June 15, 2011 9:04 PM
  • Hi Adnan,

     

    Downloaded the tool and ran it. It spat out a bunch of text which I can't seem to copy and paste here other than the following:

    RM Activation Service https://jcsadrms.lvsedmtest.local/_wmcs/certification
    RM Certification Service https://jcsadrms.lvsedmtest.local/_wmcs/certification
    RM Online Publishing Service https://jcsadrms.lvsedmtest.local/_wmcs/licensing
    RM Client Enrollment Service https://jcsadrms.lvsedmtest.local/_wmcs/licensing

    I'm assuming since the "Online" URL is an internal address, this would be where my issues are. Is there a way to change this? 

     

     


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    Monday, June 20, 2011 7:05 PM
  • I should also mention I have the following GIC and CLC URL's:

     

    GIC Y shavej@lvsedmtest.ca Windows {LVSEDMTEST\shavej} 6/20/2011 6/19/2011-6/19/2012 Issued By:https://jcsadrms.lvsedmtest.local/_wmcs/certification
    CLC Y shavej@lvsedmtest.ca Windows {LVSEDMTEST\shavej} 6/20/2011 Always Issued By:https://jcsadrms.lvsedmtest.local/_wmcs/licensing
    https://jcsadrms.lvsedmtest.local/_wmcs/licensing
    https://adrms.lvsedmtest.ca/_wmcs/licensing

     


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    Monday, June 20, 2011 7:54 PM
  • Hi Jason,

    The URL's look fine and thus the client should be functioning correctly.

    Are you testing with client on the internal network or on the external network?

    Are both the URLs added to the Trusted Intranet and Trusted Sites properties?


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent

    Wednesday, June 22, 2011 4:21 PM
  • External network.

    Both URL's were added to the correct IE sites but this didn't seem to make a difference. It's almost like the document has embedded within it the URL's to contact. Not sure why they would have the Internal URL's :(


    Jason C. Shave | Microsoft UC V-TSP | MCITP:EA, MCTS:OCS Configuring/Voice, MCSE, CCA:MPS/NetScaler 8.0 | http://jasonshave.blogspot.com
    Friday, September 2, 2011 6:54 PM
  • Hi Jason,

    Can you run the IRM check on the workstation again, and possbily upload to an accessible location.

    Then go clear the RMS cache on the desktop via C:\Users\user_name\AppData\Local\Microsoft\DRM

    Try opening the protected document again and run the IRM check tool a second time.


    Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

    Saturday, September 3, 2011 9:14 PM