DEP351 Windows ® Rights Management (Part 2): Enterprise Readiness & Deployment Marco DeMello Group...
-
Upload
giles-davidson -
Category
Documents
-
view
212 -
download
0
Transcript of DEP351 Windows ® Rights Management (Part 2): Enterprise Readiness & Deployment Marco DeMello Group...
DEP351
Windows® Rights Management (Part 2): Enterprise Readiness & Deployment
Marco DeMelloGroup Program ManagerWindows Trusted Platforms & Infrastructure
Microsoft Corporation
Agenda
Enterprise Readiness Considerations
Hardware and software pre-requisites
Deployment topologiesSmall company
Large enterprise
Microsoft Beta 2 deployment
Key takeaways
Deployment ConsiderationsProcess
Follow a tested methodology for solution deployment
E.g., Microsoft Solutions Framework
http://www.microsoft.com/msf/
Identify:Teams, customers, goals, timelines, dependencies, exit criteria…
Build planning and process improvement time into the process
Deployment ConsiderationsScalability
Capacity plan for Rights Management Services (RMS) based on Licensing requests
Model predicted RM license request load
Determine optimal front end server sizing and number
RMS is CPU bound
Licensing performance grows linearly with CPU speed & # of front ends
Multi-proc scalability: 2.8x going from 1 to 4 CPUs
Deployment ConsiderationsScalability – Example
Fabrikam Corporation RM use:Peak # of messages / hour: 273,000
% of mail that is RM protected: 60%
Peak # of RM document license requests/hour: 7500
Peak # of license requests per second: 47.6
Testing 2.4Ghz P4 dual proc front end: 82 licenses / second
1 front end satisfies performance requirementsPeak predicted load is 58% of server’s capacity
Deployment Considerations Reliability
Rule of thumb: Follow best practices for SQL based web service
Network load balancing Increases front end fault tolerance
Good backup / restore processes
SQL Clustering is optionalFor license requests front end is not reliant on SQL server being up
Certification requests require DB connectivity
Deployment Considerations Reliability – Example
Fabrikam Corporation RM use:1 front end meets scalability requirements
1 additional front end + NLB meets reliability requirements
No SQL clustering
Nightly SQL backup policy
Microsoft Operations Manager for RMS monitoring
Deployment Considerations Desktop update
End users require:RM client installation on the desktop
Lockbox installed on desktopRequires machine Administrator privileges
User’s account certified
Client enrollment for offline publishing
Medium & Large organizations should automate these steps
Can be tied to logon or couple with deployment of RM enabled application
Deployment Considerations Security
Follow lock down best practices for IIS6.0 web sites
Deploy hardware security module (HSM)
Don’t co-locate other applications on RMS hardware
Don’t run any other applications under the RMS account
If you expose licensing or certification over the InternetUse SSL to provide privacy of request data especially
Require Windows Authentication on all RMS web services
Manage delegation of RMS administration
Turn on RMS request logging
Deployment Considerations Geo-location
Plan to deploy in a single global data center Reduces operations, hardware, management cost
Distribute deployment only if link quality demands
RMS request characteristics are latency & error resilient
Standard HTTP
Standard latency resilient TCP timeout
Single request, single response
No client–server session state on front ends
Deployment PrerequisitesMinimal Install
X.509v3 VeriSign Certificate (40 or 128bit)
P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB)
Windows Server 2003 Internet Information Services 6.0
ASP.NET
MSMQ client for logging
MSDE or SQL server 2000
Active Directory (AD): Windows 2000 or later
Test users must have accounts with mail attribute in the AD
RM client bits installed on client test machines
RM-enabled application
Deployment PrerequisitesFabrikam’s Deployment
Enterprise characteristics8,500 users
Single forest
Multiple domains and locations
Mix of Windows 2000 / NT4 domain controllers
Deployment highlights2 front end servers running Windows Server 2003
RMS installed on both
Microsoft Network Load Balancing service
1 server running Windows 2000 and SQL 2000
Fabrikam Deployment
InternetInternet
SQLSQL
Fabrikam CorpFabrikam Corp
AD
RMS ClusterRMS Cluster
NLBNLB
Deployment PrerequisitesLarge enterprise
Multiple forestsRequire a root cluster per forest
For user certification and group expansion
Necessary if forest contains:User accounts to be certified
Windows DLs / Groups to be expanded
Option to centralize licensing functions to single forest
Reduces hardware / operations requirements
Dedicate more hardware and higher availability on org wide licensing cluster
Supporting Roaming Users
Allow SSL traffic through Firewall to internal RMS servers (like OWA)
Require authentication on all RMS requests
Can do inspection of requests at firewall
Deploy a dedicated RMS server in DMZExtra deployment cost but added security
Use a Virtual Private Network (VPN)Strongest security but least flexibility
Business CommunitiesCross-certification
2 peer organizations need to exchange sensitive information with each other
Fabrikam CorpFabrikam Corp Contoso PharmaContoso Pharma
SQLSQL
RMS ClusterRMS Cluster
NLBNLB
SQLSQL
RMS ClusterRMS Cluster
NLBNLB
MS Deployment Overview
MSNBeta 2 servers live since 1/16/0354,000 + unique machine activationsPassport based RM account certification & licensing
Exchange DogfoodBeta 2 servers since 1/24/03 for 3500 users40,000 + licenses served. Content lives on.
OTGBeta 2 servers live since 3/23/03 in 4 forests20,000 + unique users of IRM in Office 11 in MS
Trust Policy Management
demodemo
Key Takeways
RMS is an enterprise class service – plan accordingly
Think enterprise wide web application deployment model
Secure accounts, ACLs, SSL, HSMs
Think early about roaming use and collaboration needs
Learn More about RM
Learn about RMShttp://www.microsoft.com/rm
Learn about the RM add-onhttp://www.microsoft.com/windows/ie/downloads/addon
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.