вход по аккаунту


DEP351 -

код для вставкиСкачать
Windows Rights Management
(Part 2): Enterprise Readiness
& Deployment
Marco DeMello
Group Program Manager
Windows Trusted Platforms & Infrastructure
Microsoft Corporation
Enterprise Readiness Considerations
Hardware and software pre-requisites
Deployment topologies
Small company
Large enterprise
Microsoft Beta 2 deployment
Key takeaways
Deployment Considerations
Follow a tested methodology for solution
E.g., Microsoft Solutions Framework
Teams, customers, goals, timelines, dependencies,
exit criteria…
Build planning and process improvement time
into the process
Deployment Considerations
Capacity plan for Rights Management Services
(RMS) based on Licensing requests
Model predicted RM license request load
Determine optimal front end server sizing and
RMS is CPU bound
Licensing performance grows linearly with CPU speed
& # of front ends
Multi-proc scalability: 2.8x going from 1 to 4 CPUs
Deployment Considerations
Scalability – Example
Fabrikam Corporation RM use:
Peak # of messages / hour: 273,000
% of mail that is RM protected: 60%
Peak # of RM document license requests/hour: 7500
Peak # of license requests per second: 47.6
Testing 2.4Ghz P4 dual proc front end: 82 licenses /
1 front end satisfies performance requirements
Peak predicted load is 58% of server’s capacity
Deployment Considerations
Rule of thumb:
Follow best practices for SQL based web service
Network load balancing
Increases front end fault tolerance
Good backup / restore processes
SQL Clustering is optional
For license requests front end is not reliant on SQL
server being up
Certification requests require DB connectivity
Deployment Considerations
Reliability – Example
Fabrikam Corporation RM use:
1 front end meets scalability requirements
1 additional front end + NLB meets reliability
No SQL clustering
Nightly SQL backup policy
Microsoft Operations Manager for RMS
Deployment Considerations
Desktop update
End users require:
RM client installation on the desktop
Lockbox installed on desktop
Requires machine Administrator privileges
User’s account certified
Client enrollment for offline publishing
Medium & Large organizations should automate
these steps
Can be tied to logon or couple with deployment
of RM enabled application
Deployment Considerations
Follow lock down best practices for IIS6.0 web sites
Deploy hardware security module (HSM)
Don’t co-locate other applications on RMS hardware
Don’t run any other applications under the RMS account
If you expose licensing or certification over the Internet
Use SSL to provide privacy of request data especially
Require Windows Authentication on all RMS web services
Manage delegation of RMS administration
Turn on RMS request logging
Deployment Considerations
Plan to deploy in a single global data center
Reduces operations, hardware, management cost
Distribute deployment only if link quality demands
RMS request characteristics are latency & error
Standard HTTP
Standard latency resilient TCP timeout
Single request, single response
No client–server session state on front ends
Deployment Prerequisites
Minimal Install
X.509v3 VeriSign Certificate (40 or 128bit)
P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB)
Windows Server 2003
Internet Information Services 6.0
MSMQ client for logging
MSDE or SQL server 2000
Active Directory (AD): Windows 2000 or later
Test users must have accounts with mail
attribute in the AD
RM client bits installed on client test machines
RM-enabled application
Deployment Prerequisites
Fabrikam’s Deployment
Enterprise characteristics
8,500 users
Single forest
Multiple domains and locations
Mix of Windows 2000 / NT4 domain controllers
Deployment highlights
2 front end servers running Windows Server 2003
RMS installed on both
Microsoft Network Load Balancing service
1 server running Windows 2000 and SQL 2000
Fabrikam Deployment
Fabrikam Corp
RMS Cluster
Deployment Prerequisites
Large enterprise
Multiple forests
Require a root cluster per forest
For user certification and group expansion
Necessary if forest contains:
User accounts to be certified
Windows DLs / Groups to be expanded
Option to centralize licensing functions
to single forest
Reduces hardware / operations requirements
Dedicate more hardware and higher availability
on org wide licensing cluster
Supporting Roaming Users
Allow SSL traffic through Firewall to
internal RMS servers (like OWA)
Require authentication on all RMS requests
Can do inspection of requests at firewall
Deploy a dedicated RMS server in DMZ
Extra deployment cost but added security
Use a Virtual Private Network (VPN)
Strongest security but least flexibility
Business Communities
2 peer organizations need to exchange
sensitive information with each other
Fabrikam Corp
RMS Cluster
Contoso Pharma
RMS Cluster
MS Deployment Overview
Beta 2 servers live since 1/16/03
54,000 + unique machine activations
Passport based RM account certification & licensing
Exchange Dogfood
Beta 2 servers since 1/24/03 for 3500 users
40,000 + licenses served. Content lives on.
Beta 2 servers live since 3/23/03 in 4 forests
20,000 + unique users of IRM in Office 11 in MS
Trust Policy Management
Key Takeways
RMS is an enterprise class service – plan
Think enterprise wide web application
deployment model
Secure accounts, ACLs, SSL, HSMs
Think early about roaming use and
collaboration needs
Learn More about RM
Learn about RMS
Learn about the RM add-on
Community Resources
Community Resources
Most Valuable Professional (MVP)
Converse online with Microsoft Newsgroups, including Worldwide
User Groups
Meet and learn with your peers
В© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Без категории
Размер файла
1 114 Кб
Пожаловаться на содержимое документа