The cloud offers consumers more options for deploying their applications and is attractive from the perspective of predictable costs, reliability and scalability. However, not every component of an Organization’s environment may be fully suited for the cloud due to a variety of reasons including confidentiality and compliance. With the increasing trend of organizations to move parts of IT onto the cloud and retain core aspects of their business within their datacenters, it becomes important for us to understand how Exchange 2013 interoperates between on-premises and cloud. Exchange 2013 is designed from the ground up to support coexistence with the cloud. From both the administrator and end-user’s perspective, Exchange 2013 and Office 365 provide a seamless and feature rich experience. We will explore some of these features in this post.
- Secure mail routing
- Mail routing with the same domain space
- Unified GAL and Free/Busy sharing
- Centralized Egress of Messages
- Unified OWA login
- Centralized Management
- Mailbox Migrations
- Cloud-based Message Archiving
- Architecture Components: A hybrid Exchange 2013 environment comprises of the following components.
- Exchange servers: You may have a combination of Exchange 2013, Exchange 2010 or earlier Exchange Servers and roles deployed on-premises. You will need a minimum of one Exchange 2013 Client Access and one Exchange 2013 Mailbox Server if you deploy Exchange 2013 on-premises in your organization.
- Microsoft Office 365: This is Microsoft’s feature-rich cloud based service that includes cloud-based email, instant messaging and online conferencing, Office Web Apps including Word, Excel, Powerpoint and OneNote and Email Archiving. You will need the Midsize Business and Enterprise Plan (E3) in order to configure Active Directory Synchronization with your on-premises environment. You will also need to configure an Exchange Online organization to enable hybrid deployments.
- Exchange Online Protection (EOP): EOP is included in all Office 365 Enterprise tenant subscriptions. EOP enables secure message delivery between cloud and on-premises Exchange Organizations and can also be configured to manage message routing between the Internet and your on-premises Exchange Organization.
- Hybrid Configuration wizard: The Hybrid Configuration wizard is used to manage the hybrid configuration through the Exchange Administrative Center (EAC). The Hybrid Configuration Wizard first performs prerequisite and topology checks, tests account credentials between on-premise and Exchange Online organizations and then subsequently performs the necessary configuration changes to create and enable the hybrid deployment, this includes adding the HybridConfiguration object in the on-premise Active Directory environment.
- Microsoft Federation Gateway: On-premises Exchange Organizations must configure a federation trust with the Microsoft Federation Gateway before they can enable a hybrid configuration with an Exchange Online organization. The Microsoft Federation Gateway acts as a trust broker between the on-premises Exchange and the Online Exchange organizations and federation trusts can be configured manually or via the Hybrid Configuration Wizard. A Federation Trust is necessary for your on-line and on-premise users to be able to share free/busy information.
- Active Directory Synchronization: AD synchronization enables a unified GAL across Online and on-premises users in your Exchange deployment. AD Sync feature requires you to download and install the tool on a separate server (Physical or Virtual) in your on-premises environment. Note that the default limit of 20,000 objects that can be replicated between on-premises Active Directory and the online organization can be increased by contacting the Microsoft Online Services team.
- Active Directory Federation Services (Optional): the AD FS server implementation will enable users in your organization to use their existing network credentials for logging on to the on-premises and Exchange Online organizations using “Single Sign-on”. This is facilitated by configuring trusts between the on-premises Active Directory Forest and the Microsoft Online ID.
- Certificates: To support secure communications between the on-premises and Online environments, Microsoft recommends that you purchase a Subject Alternative Name (SAN) SSL certificate that can be used to secure access to the following services:
- Primary shared SMTP domain: This is your primary email domain and needs to be installed on local Client Access and Mailbox Servers. ie. chimpcorp.com
- Autodiscover: The autodiscover services supports the configuration of remote clients (Outlook and Exchange Active-sync), is installed on your CAS servers and should be provisioned according to the external Autodiscover FQDN of your Exchange 2013 CAS server. ie. autodiscover. chimpcorp.com
- Transport: This is installed on your Exchange 2010 SP3 Edge Transport Servers and matches the external FQDN of your edge transport servers. ie. edge.chimpcorp.com
- AD FS (optional): A certificate is required to establish trust between web clients and federation server proxies and to sign and decrypt security tokens.
- Exchange Federation: A self-signed certificate is required to establish a secure connection between the on-premises Exchange 2013 servers and the Microsoft Federation Gateway.
- Client Access: An SSL certificate is required for use by clients such as OWA and Exchange ActiveSync and Outlook Anywhere. ie. webmail.chimpcorp.com
- Message Transport: Messages between the on-premises and online organizations are encrypted, authenticated and transferred via Transport Layer Security (TLS). Depending on how you choose to configure your hybrid environment, messages can flow either one of the following ways:
- Centralized Mail Transport: All Internet-bound email is delivered via the on-premises Exchange Organization. The Exchange on-premises organization is responsible for message transport and relays all Internet messages from the Exchange Online organization. This configuration is preferable if your organization has compliance or regulatory requirements and must monitor a single point of egress for all messages outside of your organization. Ensure that you provision sufficient bandwidth between the on-premises and online environments to process all outbound messages.
- Online-centric Transport: All Internet-bound email in the Organization is delivered via the Exchange Online organization. In this case, all external outbound messages from the on-premises Exchange Organization are relayed to servers in the Exchange Online organization. This is preferable if you wish to use Microsoft’s Exchange Archiving and Exchange Online Protection (EOP) solutions, as it supports the most efficient flow of messaging traffic.
- Independent message routing: All Internet-bound email from recipients in the Exchange Online organization are delivered directly to the Internet, taking an independent path from your on-premises Exchange 2013 Organization.
- Edge Routing: On-premises endpoint for Exchange and Exchange Online organizations must be an Exchange 2013 CAS Server, or Exchange 2010 SP3 Edge Transport Server. Communications between Exchange Online and older versions of Exchange, SMTP hosts or appliances are not supported.
- Client Access: In Exchange 2013 client access is supported from Outlook via RPC/HTTP and Outlook Web App. Clients connecting to the on-premises Client Access server are redirected to either the on-premises Exchange 2013 Mailbox Server or provided with a link to logon to the Exchange Online organization.
Common Administrative Tasks
- Set up an Office 365 account: Via the Office 365 online portal here.
- Enabling a Hybrid Deployment: Use the Hybrid Deployment Wizard in the EAC.
- Configure or modify the Hybrid Deployment Options: Via the Hybrid Deployment Wizard in the EAC or Powershell
Set-HybridConfiguration -Features OnlineArchive,MailTips,OWARedirection,FreeBusy,MessageTracking
- Verify the configuration was successful: Via PowerShell
- Sharing Free/Busy information: Steps on how to configure Federation Trusts
- Configuring Active Directory Synchronization: Steps to download the AD Synchronization tool from the Office 365 portal.
Top PowerShell Commands/Tools:
Click here to read more briefs on Exchange 2013.
PowerShell Command Reference for Hybrid Configuration
Technet: Article on the Hybrid Configuration Wizard
Technet: Article on Hybrid Certificate Requirements
Technet: Article on configuring message routing
Labs on AD Synchronization
Due to the wide-spread prevalence of e-mail and the potential that e-mails contain sensitive information that may be of high impact to a business or contain personal information, there is a need for many IT departments to be able to track access to mailboxes. Mailbox audit logging enables an organization to identify mailbox access by mailbox owners, delegates and administrators.
- Mailbox Audit Logon Types
- Mailbox Audit Log
- Mailbox Audit Logon Types: In Exchange 2013, you can distinguish between three classes of users when they access a mailbox. These classes are:
- Mailbox Owners: The account designated to access the mailbox. (Primarily Users)
- Mailbox Delegates: Alternate accounts that have been granted permissions to access a mailbox
- Administrators: Administrators typically access an account during the following three instances: Firstly, when In-Place eDiscovery is used to search a mailbox. Secondly, when the New-MailboxExportRequest cmdlet is used to export a mailbox; and Thirdly, the Microsoft Exchange Server MAPI Editor is used to access a mailbox.
- Mailbox Audit Logs: Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. Log entries are retained in the mailbox by default for 90 days in the Audits subfolder of the audited mailboxRecoverable Items folder. Mailbox Audit logs allow you to specific what types of important information should be logged for a specific logon type. These include:
- User Actions (Accessing, copying, creating, moving or deleting a message)
- Performing SendAs or SendOnBehalf actions
- Reading or previewing a message
- Client IP adress
- Client Host name
- Process that client used to access the mailbox
Common Administrative Tasks
- Enabling or Disabling Mailbox Audit Logging: via EAC or PowerShell
Set-Mailbox -Identity “Road Chimp” -AuditEnabled $true to enable &
Set-Mailbox -Identity “Road Chimp” -AuditEnabled $false to disable
- Enabling/Disabling Mailbox Audit Logging for various logon types:
Set-Mailbox -Identity “Road Chimp” -AuditOwner or
Set-Mailbox -Identity “Road Chimp” -AuditDelegate or
Set-Mailbox -Identity “Road Chimp” -AuditAdmin
- Verify Mailbox Audit Logging was configured: via Powershell
Get-Mailbox “Road Chimp | Format-List *audit*
- Create a Mailbox Audit Log Search: via EAC or PowerShell
New-MailboxAuditLogSearch “Admin and Delegate Access” -Mailboxes “Road Chimp”,”Chief Peeler” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/01/2012 -StatusMailRecipients “email@example.com”
- Searching Mailbox Audit Log for a specific search term: via EAC or PowerShell
Search-MailboxAuditLog -Identity “Road Chimp” -LogonTypes Admin,Delegate -StartDate 1/1/2012 -EndDate 12/31/2012 -ResultSize 2000
- Bypass a User Account from Mailbox Audit Logging: via EAC or Powershell
Set-MailboxAuditBypassAssociation -Identity “Road Chimp” -AuditBypassEnabled $true
Top PowerShell Commands/Tools:
– Set-Mailbox -AuditEnabled
– Set-Mailbox -AuditDelegate |AuditAdmin | AuditOwner
Technet: Article on Mailbox Audit Logging
Cmdlets: For Mailbox Audit Logging
DLP capabilities help you protect your sensitive data and inform users of your policies and regulations. DLP can also help you prevent users from mistakenly sending sensitive information to unauthorized people. When you configure DLP polices, you can identify and protect sensitive data by analyzing the content of your messaging system, which includes numerous associated file types. The DLP policy templates supplied in Exchange 2013 are based on regulatory standards such as PII and payment card industry data security standards (PCI-DSS). DLP is extensible, which allows you to include other policies that important to your organization. Additionally, the new Policy Tips capability allows you to inform users about policy violations before sensitive data is sent.
- DLP Policies
- Sensitive Information Types
- Policy Detection and Reporting
- Policy Tips
The transport rule agent (TRA) is used in Exchange 2013 to invoke deep message content scanning and also to apply policies defined as part of Exchange Transport Rules.
- DLP Policies: These policies contain sets of conditions which comprise of Transport rules, actions and exceptions. Conditions can be configured from scratch or modified from pre-existing policy templates in Exchange 2013. There are three supported methods to create DLP policies:
- Create a DLP policy from an existing policy template: At the time of writing, Exchange 2013 supports over 40 policy templates to support a number of compliance requirements from various Countries and jurisdictions such as GLB and PCI-DSS.
- Import a pre-built policy file from outside your organization: Exchange 2013 allows organizations to use DLP policies created by independent software vendors by importing these policies directly into Exchange as XML files. To define your own DLP policy template files, you must first define an XML schema (read here; then you can define sensitive information rule types (read here).
- Create a custom policy from scratch: Exchange 2013 provides the granularity to define a DLP policy to match an organization’s requirements for monitoring certain types of data.
- Sensitive Information Types: DLP now has the ability to perform deep content analysis via keyword matches, dictionary matches, regular expression evaluation, and other content examination to detect content that violates organizational DLP policies. Sensitive information rule types augment the existing transport rules framework and allow you to apply messaging policies to email messages that flow through the transport pipeline in the Transport service on Mailbox servers and on Edge Transport servers. Read my article on Exchange Transport architecture.
- Policy Detection and Reporting: Exchange 2013 provides availability and access to information that identifies policy violations occurring within the DLP environment. This information is made available via the Message Tracking Logs. The AgentInfo Event is used to add DLP related entries in the message tracking log. A single AgentInfo event will be logged per message describing the DLP processing applied to the message. An incident report can be created for each DLP policy rule set via the Generate Incident Report feature in the EAC.
- Policy Tips: enable you to notify email senders that they are about to violate one of the DLP policies before they send the offending message. Click here for more information.
Common Administrative Tasks
- Create a DLP policy from a Template: To use existing templates, the DLP must be configured via the EAC. Read this article.
- Import a DLP policy from a File†: Via EAC or PowerShell
Import-DlpPolicyCollection -FileData ([Byte]$(Get-Content -Path ” C:DocDLP Backup.xml ” -Encoding Byte -ReadCount 0))
- Create a custom DLP policy without any rules: This must be configured via EAC
- Export a DLP policy: Via EAC or PowerShell
- Create a custom DLP policy: Via EAC or PowerShell
New-DlpPolicy “Employee IDs”
- View details of an existing DLP policy: Via EAC or PowerShell
Get-DlpPolicy “Employee IDs” | Format-List
- Change a DLP policy: Via EAC or PowerShell
Set-DlpPolicy “Employee IDs” -Mode (Audit|AuditAndNotify|Enforce)
- Delete a DLP policy: Via EAC or PowerShell
Remove-DlpPolicy “Employee IDs”
- Import/Export a DLP policy: Via EAC or PowerShell
- Manage Policy Tips: Via EAC, for more information click here.
- Create a New Classification Rule Collection: via PowerShell
New-ClassificationRuleCollection -FileData ([Byte]$(Get-Content -Path “C:DocExternal Classification Rule Collection.xml” -Encoding Byte -ReadCount 0))
† This action overwrites all pre-existing DLP policies that were defined in your organization, so make sure you backup your current DLP policy information first.
Top PowerShell Commands/Tools:
– Set|Get|New|Remove -DlpPolicy
– Set|Get|New|Remove -ClassificationRuleCollection
– Export|Import -DlpPolicyCollection
Command Reference for DLP
Microsoft Technet page on DLP in Exchange 2013
In-Place eDiscovery allows you to search mailbox data across your Exchange organization, preview search results, and copy them to a Discovery mailbox. Users in the Discovery Management role group can be delegated access to perform discovery searches without the need to grant them elevated privileges.
- Exchange Search and Keyword Query Language (KQL)
- Discovery Management Role group
- Discovery Mailboxes
- Discovery Search Actions
- eDiscovery Center
In-Place eDiscovery in Exchange 2013 supports
- Exchange Search and Keyword Query Language (KQL): The content indexing feature of Exchange Search has been redesigned to provide greater integration with Microsoft Search Foundation and Microsoft Sharepoint 2013. By exposing the powerful federated search capabilities included in Sharepoint 2013, users can easily structure complex and efficient search queries. This article explains the Keyword Query Language (KQL) capabilities and syntax of Sharepoint 2013.
- Discovery Management Role group: This group consists of two management roles; the Mailbox Search Role, which allows a user to perform an In-place eDiscovery search; and the Legal Hold Role, which allows a user to place a mailbox in In-place hold or Litigation hold.
- Discovery mailboxes: These are used during In-place eDiscovery Searches as target mailboxes and the results of In-place eDiscovery Searches and be copied to these mailboxes. Discovery mailboxes cannot be repurposed as other types of mailboxes.
- Discovery Search Actions: Users can perform the following actions during a discovery search:
- Estimate search results: Obtain an estimate of the total size and number of items that will be returned by the search based on search criteria. Estimates are displayed in the details pane.
- Preview search results: Preview the results of a search by displaying messages returned from each mailbox searched.
- Copy search results: Copy messages returned in search results to a Discovery mailbox.
- eDiscovery Center: The eDiscovery Center site collection is part of SharePoint 2013 and provides features to help with the first half of the eDiscovery Reference Model (EDRM)—identification, preservation, collection, processing, and analysis; and is available on-premises or in the cloud. Using the eDiscovery Center, you can perform searches across SharePoint, Exchange and Lync content archived into Exchange. Click here for a great article on eDiscovery in Sharepoint.
Common Administrative Tasks
- Add a user to the Discovery Management Role Group: In EAC or PowerShell
Add-RoleGroupMember -Identity “Discovery Management” -Member “Road Chimp”
This can be verified via the command: Get-RoleGroupMember -Identity “Discovery Management”
- Create a Discovery Mailbox via the command:
New-Mailbox SearchResults01 -Discovery -UserPrincipalName SearchResults01@roadchimp.com
- Create an In-place eDiscovery Search: In EAC or PowerShell
New-MailboxSearch “Discovery-CaseID001” -StartDate “01/01/2012” -EndDate “12/01/2012” -SourceMailboxes “DG-Finance” -TargetMailbox SearchResults01 -SearchQuery ‘”Bananas” AND “Peel”‘
- Preview an In-place eDiscovery Search: In EAC or PowerShell
Start-Mailbox Search -EstimateOnly….
- Start/Stop an In-place eDiscovery Search: In EAC or PowerShell
Start-MailboxSearch -Identity “Discovery-CaseID001” to start &
Stop-MailboxSearch -Identity “Discovery-CaseID001” to stop
- Retrieve the status of an In-place eDiscovery Search: In EAC or PowerShell
- Modify an In-place eDiscovery Search: In EAC or PowerShell
Set-MailboxSearch -Identity “Discovery-CaseID001” -SourceMailboxes “DG-Executives”
- Remove an In-place eDiscovery Search: In EAC or PowerShell
Remove-MailboxSearch -Identity “Discovery-CaseID001“
- Re-create the Discovery System Mailbox: Click here for more information.
- Configure Exchange for Sharepoint eDiscovery Center: Click here for steps.
Top PowerShell Commands/Tools
– Stop-Mailbox Search
– Get-Mailbox Search
– Set-Mailbox Search
Command Reference for eDiscovery Search
Microsoft Technet page on eDiscovery
Article on Keyword Query Language
Technet blog writeup on eDiscovery Search
In the event that potential litigation may occur, an organization is required to preserve any electronically stored information (ESI), including email that’s relevant to the case. In-Place Hold enables an administrator to search and preserve messages matching query parameters. Messages are protected from deletion, modification, and tampering and can be preserved indefinitely or for a specified period.
- Users can be placed on one or multiple holds
- Preserve deleted items
- query-based searches
- Transparent to users
In-place Hold enables an organization to configure a number of granular policies depending on the needs of a particular situation:
- Indefinite hold: This is intended to preserve mailbox items so you can meet eDiscovery requirements. During the period of litigation or investigation, items are never deleted. The duration is not known in advance, so no end date is configured. To hold all mail items indefinitely, you must not specify any query parameters or time duration when creating an In-Place Hold.
- Query-based hold: If your organization requires that only items matching query parameters be preserved either indefinitely or for a specified duration, you can use a query-based In-Place Hold. You can specify query parameters such as keywords, start and end dates, sender and recipient addresses and message types. After you create a query-based In-Place Hold, all existing mailbox items matching the query and items created in the future, including messages received at a later date that match query parameters are preserved.
- Time-based hold: Time-Place Hold allows you to specify a duration of time for which to hold items. The duration is calculated from the date a mailbox item is received or created.
- Recoverable Items Folder: The recoverable items folder is a location in the user’s mailbox where items are sent to if they are not ‘hard deleted’. This folder contains the following subfolders:
Deletions – Contains items removed from the Deleted Items folder or soft deleted from other folders and are visible to the user when using the Recover Deleted Items feature in Outlook and Outlook Web App. By default, items reside in this folder until the deleted item retention period configured for the mailbox database or the mailbox expires.
Purges – When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted Items tool in Outlook and Outlook Web App, the item is moved to the Purges folder. Items that exceed the deleted item retention period configured on the mailbox database or the mailbox are also moved to the Purges folder. Items in this folder aren’t visible to users if they use the Recover Deleted Items tool. When the mailbox assistant processes the mailbox, items in the Purges folder are purged from the mailbox database. When you place the mailbox user on litigation hold, the mailbox assistant doesn’t purge items in this folder.
DiscoveryHold – If a user is placed on an In-Place Hold, deleted items are moved to this folder. When the mailbox assistant processes the mailbox, it evaluates messages in this folder. Items matching the In-Place Hold query are retained until the hold period specified in the query. If no hold period is specified, items are held indefinitely or until the user is removed from the hold.
Versions – When a user who is placed on In-Place Hold or litigation hold, mailbox items must be protected from tampering or modification by the user or a process. This is accomplished using a copy-on-write. When a user or a process changes specific properties of a mailbox item, a copy of the original item is saved in the Versions folder before the change is committed. The process is repeated for subsequent changes. Items captured in the Versions folder are also indexed and returned in In-Place eDiscovery searches. After the hold is removed, copies in the Versions folder are removed by the Managed Folder Assistant.
- Multiple hold behavior: It’s possible that a user can be placed on multiple holds at the same time. Exchange treats this condition by applying the search parameters of all in-place holds together using a logical OR operator. A special condition is reached where if a user in more than 5 in-place holds, all items are automatically held (this would improve efficiency)
- User notification: Depending on your organization’s policies, a user may need to be informed when they are placed in hold. Exchange 2013 allows you to redirect a user to a web page based on a URL. Outlook 2010 displays this information in the backstage area.
- Monitoring Mailbox Quotas: In Exchange 2013, the Recoverable Items folder has its own quota and therefore items in the Recoverable Items folder aren’t calculated toward the user’s mailbox quota. When a user exceeds the warning quota on recoverable items in the recoverable items folder (RecoverableItemsWarningQuota parameter default set to 20Gb) , an event is logged in the Application Event log of the Mailbox server. Once this quota is reached (RecoverableItemsQuota, default set to 30Gb), users won’t be able to empty the Deleted Items folder or permanently delete mailbox items, nor will copy-on-write won’t be able to create copies of modified items. It therefore is crucial to monitor the Recoverable Items quotas for mailbox users placed on In-Place hold.
- Archived Lync Content: Exchange 2013 allows you to archive Lync Server 2013 content in Exchange, removing the requirement of a separate SQL Server database to store archived Lync content. When you place an Exchange 2013 mailbox on In-Place Hold or litigation hold, Microsoft Lync 2013 content such as instant messaging conversations and files shared in an on-line meeting are archived in the mailbox. If you search the mailbox using the eDiscovery Center in Microsoft SharePoint 2013 or In-Place eDiscovery in Exchange 2013, any archived Lync content matching the search query is also returned in search results. To enable archiving of Lync content in Exchange 2013 mailbox, you must configure Lync 2013 integration with Exchange 2013. For more details, see the following topics:
Common Administrative Tasks
- Authorize users: Add users to the Discovery Management Role Based Access Control Group.
- Place a mailbox in hold: EAC or Powershell
New-MailboxSearch “Hold-CaseId001” -SourceMailboxes “firstname.lastname@example.org” -InPlaceHoldEnabled $true
- Remove an In-place hold:
Set-MailboxSearch “Hold-CaseId001” -InPlaceHoldEnabled $false
- Notify a user who has been placed on hold:
Place notification message in the mailbox user’s Retention Comment property and user the RedirectionURL property to link to a web page.
- Set a quota and warning quota for the Recoverable Items sub-folder.
For an entire database: Set-MailboxDatabase – RecoverableItemsWarningQuota – RecoverableItemsQuota
For a single mailbox: Set-Mailbox – RecoverableItemsWarningQuota – RecoverableItemsQuota
Top PowerShell Commands/Tools
Technet article on In-place hold
Information Rights Management (IRM) features in Exchange 2013 are used to prevent information leakage or loss of potentially sensitive information, which can be costly to an organization and include financial loss, erosion of competitive advantage and damage to image and credibility.
- Active Directory Rights Management Services (RMS)
- AD RMS Rights Policy Templates
- Outlook/Transport Protection Rules
- E-mail/ OWA & ActiveSync support
- In-place eDiscovery support
- Hybrid and Cross-forest deployments
IRM features are deployed in conjunction with Microsoft Active Directory Rights Management Services (AD RMS). Using policy templates, an administrator can quickly deploy a wide array of policies to protect and secure potentially-sensitive data across a variety of client access methods (Outlook/OWA/ActiveSync), while still providing full support for eDiscovery and Journaling processes.
- AD RMS rights policy templates: RMS rights policy templates are XrML documents that contain a predefined usage policy that can be applied to protect an item of content. Templates can contain the following information:
- A template name and description.
- Users and groups that can be granted content licenses.
- The rights and associated conditions granted to the users.
- The content expiration policy.
- A set of extended policies.
- The template revocation policy.
- A revocation list.
- A revocation list refresh interval.
- A public key file for the revocation list.
- IRM Agents: IRM is implemented in Exchange 2013 using transport agents in the Transport service on a Mailbox server. Agents include the following (RMS Decryption Agent | Transport Rules Agent | RMS Encryption Agent | Prelicensing Agent | Journal Report Decryption Agent
- Transport Protection Rules: A transport protection rule is used to apply persistent rights protection to messages based on properties such as sender, recipient, message subject, and content.
- Outlook Protection Rules: An AD RMS template can be applied to Outlook 2010 or other RMS-enabled applications in order to protect messages before they are sent.
- Transport Decryption: This feature allows the Transport Service to inspect the content of an IRM protected message in order to apply policies or rules to the message.
- In-place eDiscovery: You can configure IRM to allow Exchange Search to index IRM-protected messages, in order to support an In-place eDiscovery search that is performed by members of the Discovery Management role group.
- Journal report Decryption: This allows the Journaling agent to attach a decrypted copy of a rights-protected message to the journal report. This requires the Federated Delivery mailbox to be added to the super users group on the AD RMS server.
- IRM in OWA: The following IRM functionality is available from OWA (Send/ Read IRM-protected messages | Send IRM protected attachments | WebReady Document Viewing
- IRM in Exchange ActiveSync: Organizations can use Information Rights Management (IRM) to apply persistent protection to messaging content when accessed from mobile devices. Mobile device users can create/read/reply to and forward IRM-protected messages.
Common Administrative Tasks:
- Configuring IRM: Set-IRMConfiguration: Set-IRMConfiguration -InternalLicensingEnabled $true
- Create a Transport Protection Rule: via EAC or Cmdlet
Retrieve all RMS templates: Get-RMSTemplate | format-list
Create rule: New-TransportRule -Name “New rule” -SubjectContainsWords “Dirty Bananas” -ApplyRightsProtectonTemplate “Do Not Forward”
- Create an Outlook Protection Rule: New-OutlookProtectionRule -Name “Project Bananasplit” -SentTo “DL-BananasplitRnD@chimpcorp.com” -ApplyRightsProtectionTemplate “Business Critical”
- Add the Federation System Mailbox to AD RMS Super Users Group :
Create a dedicated Super User Group: New-DistributionGroup -Name ADRMS SuperUsers -Alias “ADRMS Super Users”
Add the Federated system mailbox to the group: Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
- Enable/Disable Transport Decryption: Set-IRMConfiguration -TransportDecryptionSetting Mandatory
- Enable IRM to support In-place eDiscovery:
Enable Exchange Search: Set-IRMConfiguration -SearchEnabled $true
Enable eDiscovery: Set-IRMConfiguration -EDiscoverySuperUserEnabled $true
- Enable/Disable Journal Report Decryption: Set-IRMConfiguration -JournalReportDecryptionEnabled $true
- Enable/Disable IRM OWA support:
Configure on each OWA Virtual Directory: Set-OWAVirtualDirectory -IRMEnabled $true
or Configure on each OWA Mailbox Policy: Set-OWAMailboxPolicy -IRMEnabled $true
- Enable/Disable IRM Exchange ActiveSync support:
Add the Federation System Mailbox to AD RMS Super Users Group (Step 4)
Top PowerShell Commands/Tools:
– New/Get-TransportRule (ApplyRightsProtectionTemplate)
Technet: Information Rights Management
Technet: Common IRM tasks
Technet: Configure permissions
Cmdlets: Messaging policy and compliance
Reference: AD RMS Rights Policy Templates
List of supported file types covered by IRM policies when attached to messages
Hi all! The thought hit me that Exchange has become such a massive beast that it can be extremely daunting for someone to pick up the technology from scratch.
So I’ve decided to put together a compilation of Exchange Briefs: short documents that contain a basic summary of a specific component/feature of Exchange and some links to resources and beyond.
I’ll try to standardize the format of each brief:
- Executive Overview
- Notable Features
- Common Administrative Tasks
- Top PowerShell Commands/Tools:
List of Briefs
This list will probably change and once I post a brief, I will link to it from here.
1. Exchange Unified Messaging
2. Site Resilience
3. Information Rights Management
4. Mailbox and Administrative Auditing
5. In-Place Archiving
6. Data Loss Prevention
7. Message Records Management
8. In-place eDiscovery
9. In-place Hold
10. Coexistence with Exchange Online (Hybrid)
11. Coexistence with Legacy Systems
12. Cross-Forest Coexistence
13. Exchange Federation
This project might take a while, so please drop some comments or requests and I will try to get to them!
Chimp’s Update: I’ve uploaded all of the Exchange 2013 components for Messaging and Compliance, numbered 3-9.
Ook… Road Chimp