DEP351

Windows® Rights Management (Part 2): Enterprise Readiness & Deployment

Marco DeMelloGroup Program ManagerWindows Trusted Platforms & Infrastructure

Microsoft Corporation

Agenda

Enterprise Readiness Considerations

Hardware and software pre-requisites

Deployment topologiesSmall company

Large enterprise

Microsoft Beta 2 deployment

Key takeaways

Deployment ConsiderationsProcess

Follow a tested methodology for solution deployment

E.g., Microsoft Solutions Framework

http://www.microsoft.com/msf/  

Identify:Teams, customers, goals, timelines, dependencies, exit criteria…

Build planning and process improvement time into the process

Deployment ConsiderationsScalability

Capacity plan for Rights Management Services (RMS) based on Licensing requests

Model predicted RM license request load

Determine optimal front end server sizing and number

RMS is CPU bound

Licensing performance grows linearly with CPU speed & # of front ends

Multi-proc scalability: 2.8x going from 1 to 4 CPUs

Deployment ConsiderationsScalability – Example

Fabrikam Corporation RM use:Peak # of messages / hour: 273,000

% of mail that is RM protected: 60%

Peak # of RM document license requests/hour: 7500

Peak # of license requests per second: 47.6

Testing 2.4Ghz P4 dual proc front end: 82 licenses / second

1 front end satisfies performance requirementsPeak predicted load is 58% of server’s capacity

Deployment Considerations Reliability

Rule of thumb: Follow best practices for SQL based web service

Network load balancing Increases front end fault tolerance

Good backup / restore processes

SQL Clustering is optionalFor license requests front end is not reliant on SQL server being up

Certification requests require DB connectivity

Deployment Considerations Reliability – Example

Fabrikam Corporation RM use:1 front end meets scalability requirements

1 additional front end + NLB meets reliability requirements

No SQL clustering

Nightly SQL backup policy

Microsoft Operations Manager for RMS monitoring

Deployment Considerations Desktop update

End users require:RM client installation on the desktop

Lockbox installed on desktopRequires machine Administrator privileges

User’s account certified

Client enrollment for offline publishing

Medium & Large organizations should automate these steps

Can be tied to logon or couple with deployment of RM enabled application

Deployment Considerations Security

Follow lock down best practices for IIS6.0 web sites

Deploy hardware security module (HSM)

Don’t co-locate other applications on RMS hardware

Don’t run any other applications under the RMS account

If you expose licensing or certification over the InternetUse SSL to provide privacy of request data especially

Require Windows Authentication on all RMS web services

Manage delegation of RMS administration

Turn on RMS request logging

Deployment Considerations Geo-location

Plan to deploy in a single global data center Reduces operations, hardware, management cost

Distribute deployment only if link quality demands

RMS request characteristics are latency & error resilient

Standard HTTP

Standard latency resilient TCP timeout

Single request, single response

No client–server session state on front ends

Deployment PrerequisitesMinimal Install

X.509v3 VeriSign Certificate (40 or 128bit)

P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB)

Windows Server 2003 Internet Information Services 6.0

ASP.NET

MSMQ client for logging

MSDE or SQL server 2000

Active Directory (AD): Windows 2000 or later

Test users must have accounts with mail attribute in the AD

RM client bits installed on client test machines

RM-enabled application

Deployment PrerequisitesFabrikam’s Deployment

Enterprise characteristics8,500 users

Single forest

Multiple domains and locations

Mix of Windows 2000 / NT4 domain controllers

Deployment highlights2 front end servers running Windows Server 2003

RMS installed on both

Microsoft Network Load Balancing service

1 server running Windows 2000 and SQL 2000

Fabrikam Deployment

InternetInternet

SQLSQL

Fabrikam CorpFabrikam Corp

AD

RMS ClusterRMS Cluster

NLBNLB

Deployment PrerequisitesLarge enterprise

Multiple forestsRequire a root cluster per forest

For user certification and group expansion

Necessary if forest contains:User accounts to be certified

Windows DLs / Groups to be expanded

Option to centralize licensing functions to single forest

Reduces hardware / operations requirements

Dedicate more hardware and higher availability on org wide licensing cluster

Supporting Roaming Users

Allow SSL traffic through Firewall to internal RMS servers (like OWA)

Require authentication on all RMS requests

Can do inspection of requests at firewall

Deploy a dedicated RMS server in DMZExtra deployment cost but added security

Use a Virtual Private Network (VPN)Strongest security but least flexibility

Business CommunitiesCross-certification

2 peer organizations need to exchange sensitive information with each other

Fabrikam CorpFabrikam Corp Contoso PharmaContoso Pharma

SQLSQL

RMS ClusterRMS Cluster

NLBNLB

SQLSQL

RMS ClusterRMS Cluster

NLBNLB

MS Deployment Overview

MSNBeta 2 servers live since 1/16/0354,000 + unique machine activationsPassport based RM account certification & licensing

Exchange DogfoodBeta 2 servers since 1/24/03 for 3500 users40,000 + licenses served. Content lives on.

OTGBeta 2 servers live since 3/23/03 in 4 forests20,000 + unique users of IRM in Office 11 in MS

Trust Policy Management

demodemo

Key Takeways

RMS is an enterprise class service – plan accordingly

Think enterprise wide web application deployment model

Secure accounts, ACLs, SSL, HSMs

Think early about roaming use and collaboration needs

Learn More about RM

Learn about RMShttp://www.microsoft.com/rm

Learn about the RM add-onhttp://www.microsoft.com/windows/ie/downloads/addon

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.