This Exchange Wiki page lists Information Rights Management (IRM) features in Microsoft Exchange 2007 SP3 and later versions and provides guidance about the Exchange Server and Active Directory Rights Management Services (AD RMS) configuration necessary to implement each of those features.   

Exchange Features

Exchange IRM feature

Exchange version

Minimum Exchange Server role(s) required

Additional roles required (dependencies)

AD RMS version required

Configuration steps

Prelicensing

2007 SP3
2010
2010 SP1

Hub Transport

 

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Prelicensing

OWA IRM2

2010
2010 SP1

CAS, Mailbox

Prelicensing

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Prelicensing
Implementing OWA IRM

IRM in Windows Mobile

2010
2010 SP1

CAS

Prelicensing

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Prelicensing
Implementing IRM in Windows Mobile

IRM Search

2010
2010 SP1

Hub Transport, Mailbox

Prelicensing

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Prelicensing
Implementing IRM Search

OWA WebReady Document Viewing

2010 SP1

CAS, Mailbox

Prelicensing

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Prelicensing
Implementing OWA WebReady Document Viewing

Transport Protection Rules

2010
2010 SP1

Hub Transport

 

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Transport Protection Rules

Transport Decryption

2010
2010 SP1

Hub Transport

 

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Transport Decryption

Journal Decryption

2010
2010 SP1

Hub Transport

 

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing Journal Report Decryption

IRM over EAS

2010 SP1

CAS, Mailbox

 

Windows Server 2008 SP2
Windows Server 2008 R2

Implementing IRM over Exchange ActiveSync




Implementing Prelicensing

You can use the Active Directory Rights Management Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's authenticity so that the recipient can open messages without receiving a credential prompt on every attempt. The AD RMS Prelicensing Agent requires the Hub Transport server role of Exchange Server 2007 or later and, if Exchange Server is running on Windows Server 2003, installing the Windows Rights Management Server client. No special configuration of Windows Rights Management Services or AD RMS is required to enable prelicensing.

To implement prelicensing, follow the instructions in the following documents:


Implementing OWA IRM

In Exchange 2010, IRM in Outlook Web App (OWA) allows your users to access the rich IRM functionality offered by Exchange to apply persistent IRM-protection to messaging content. OWA IRM requires the Prelicensing service, and the CAS and Mailbox server roles of Exchange Server 2010. In addition, AD RMS must be configured to support OWA IRM.

To implement OWA IRM, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:


Implementing IRM in Windows Mobile

Organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content.

In Microsoft Exchange Server 2010 RTM, use of IRM on mobile devices has the following requirements:

  • A mobile device running Windows Mobile 6.0 or later.
  • Enable Certification of mobile devices.
  • Users must connect the device to a computer and activate it for IRM using one of the following methods:
    • On computers running Windows 7 or Windows Vista by using the Windows Mobile Device Center
    • On computers running Windows XP by using Microsoft ActiveSync client application

To implement IRM in ActiveSync and Windows Mobile, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:


Implementing IRM Search

In Microsoft Exchange Server 2010, you can provision personal archives for your users, helping you reduce or eliminate the use of .pst files. This results in more mailbox data being stored by a user, and it makes searching across the user's primary and archive mailboxes an important productivity tool.

With Exchange Search, new items are indexed almost immediately after they're created or delivered to the mailbox, providing users with a fast, stable, and more reliable way of searching mailbox data. In Exchange 2010 and Exchange Server 2007, content indexing is enabled by default on all mailbox databases, and there's no initial setup or configuration required.

Messages protected using Information Rights Management (IRM) are indexed by Exchange Search and included in search results. Messages must be protected by using an AD RMS server in the same Active Directory forest as the Exchange 2010 Mailbox server.

To implement the ability to search IRM-protected items, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:


Implementing OWA WebReady Document Viewing

In Exchange 2010 SP1, users can view supported IRM-protected attachments by using WebReady Document Viewing. This allows users to view supported attachments without having to download the attachment by using the associated application.

To implement OWA WebReady Document Viewing, follow the instructions in Implementing Prelicensing and then follow the instructions in the following documents:


Implementing Transport Protection Rules

In Exchange Server 2010, you can use transport protection rules to implement messaging policies that help protect sensitive information by inspecting message content, encrypting sensitive e-mail content, and using rights management to control access to the content. Transport protection rules allow you to use transport rules to IRM-protect messages by applying an AD RMS rights policy template.

To implement transport protection rules, following the instructions in the following documents:


Implementing Transport Decryption

Transport decryption allows you to decrypt IRM-protected messages in transit. IRM-protected messages are decrypted by the Decryption agent. The Decryption agent decrypts the following types of IRM-protected messages:

  • Messages IRM-protected by the user in Outlook Web App.
  • Messages IRM-protected by the user in Outlook 2010.
  • Messages IRM-protected automatically by Outlook protection rules in Outlook 2010.

To implement transport decryption, following the instructions in the following documents:


Implementing Journal Report Decryption

Journal report decryption allows you to save a clear-text copy of IRM-protected messages in journal reports, along with the original, IRM-protected message. If the IRM-protected message contains any supported attachments that were protected by the AD RMS cluster in your organization, the attachments are also decrypted.

Decryption is performed by the Journal Report Decryption agent. The agent decrypts the following types of IRM-protected messages:

  • Messages that were IRM-protected by the user in Outlook Web App.
  • Messages that were IRM-protected by the user in Outlook 2010.
  • Messages that were IRM-protected automatically in Outlook 2010 by using Outlook protection rules.
  • Messages that were IRM-protected automatically in transit by using transport protection rules.

To implement journal report pipeline decryption, following the instructions in the following documents:


Implementing IRM over Exchange ActiveSync

In Exchange 2010 SP1, IRM in Exchange ActiveSync allows your users to access the rich IRM functionality offered by Exchange on any supported Exchange ActiveSync device without tethering the device to a computer and activating it for IRM.

Using IRM in Exchange ActiveSync, mobile device users can:

  • Create IRM-protected messages
  • Read IRM-protected messages
  • Reply to and forward IRM-protected messages

To implement IRM over Exchange ActiveSync, follow the instructions in the following documents:

 

See Also