DEP351 Windows Rights Management (Part 2): Enterprise Readiness В® & Deployment Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure Microsoft Corporation Agenda Enterprise Readiness Considerations Hardware and software pre-requisites Deployment topologies Small company Large enterprise Microsoft Beta 2 deployment Key takeaways Deployment Considerations Process Follow a tested methodology for solution deployment E.g., Microsoft Solutions Framework http://www.microsoft.com/msf/ Identify: Teams, customers, goals, timelines, dependencies, exit criteriaвЂ¦ Build planning and process improvement time into the process Deployment Considerations Scalability Capacity plan for Rights Management Services (RMS) based on Licensing requests Model predicted RM license request load Determine optimal front end server sizing and number RMS is CPU bound Licensing performance grows linearly with CPU speed & # of front ends Multi-proc scalability: 2.8x going from 1 to 4 CPUs Deployment Considerations Scalability вЂ“ Example Fabrikam Corporation RM use: Peak # of messages / hour: 273,000 % of mail that is RM protected: 60% Peak # of RM document license requests/hour: 7500 Peak # of license requests per second: 47.6 Testing 2.4Ghz P4 dual proc front end: 82 licenses / second 1 front end satisfies performance requirements Peak predicted load is 58% of serverвЂ™s capacity Deployment Considerations Reliability Rule of thumb: Follow best practices for SQL based web service Network load balancing Increases front end fault tolerance Good backup / restore processes SQL Clustering is optional For license requests front end is not reliant on SQL server being up Certification requests require DB connectivity Deployment Considerations Reliability вЂ“ Example Fabrikam Corporation RM use: 1 front end meets scalability requirements 1 additional front end + NLB meets reliability requirements No SQL clustering Nightly SQL backup policy Microsoft Operations Manager for RMS monitoring Deployment Considerations Desktop update End users require: RM client installation on the desktop Lockbox installed on desktop Requires machine Administrator privileges UserвЂ™s account certified Client enrollment for offline publishing Medium & Large organizations should automate these steps Can be tied to logon or couple with deployment of RM enabled application Deployment Considerations Security Follow lock down best practices for IIS6.0 web sites Deploy hardware security module (HSM) DonвЂ™t co-locate other applications on RMS hardware DonвЂ™t run any other applications under the RMS account If you expose licensing or certification over the Internet Use SSL to provide privacy of request data especially Require Windows Authentication on all RMS web services Manage delegation of RMS administration Turn on RMS request logging Deployment Considerations Geo-location Plan to deploy in a single global data center Reduces operations, hardware, management cost Distribute deployment only if link quality demands RMS request characteristics are latency & error resilient Standard HTTP Standard latency resilient TCP timeout Single request, single response No clientвЂ“server session state on front ends Deployment Prerequisites Minimal Install X.509v3 VeriSign Certificate (40 or 128bit) P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB) Windows Server 2003 Internet Information Services 6.0 ASP.NET MSMQ client for logging MSDE or SQL server 2000 Active Directory (AD): Windows 2000 or later Test users must have accounts with mail attribute in the AD RM client bits installed on client test machines RM-enabled application Deployment Prerequisites FabrikamвЂ™s Deployment Enterprise characteristics 8,500 users Single forest Multiple domains and locations Mix of Windows 2000 / NT4 domain controllers Deployment highlights 2 front end servers running Windows Server 2003 RMS installed on both Microsoft Network Load Balancing service 1 server running Windows 2000 and SQL 2000 Fabrikam Deployment Internet Fabrikam Corp RMS Cluster AD SQL NLB Deployment Prerequisites Large enterprise Multiple forests Require a root cluster per forest For user certification and group expansion Necessary if forest contains: User accounts to be certified Windows DLs / Groups to be expanded Option to centralize licensing functions to single forest Reduces hardware / operations requirements Dedicate more hardware and higher availability on org wide licensing cluster Supporting Roaming Users Allow SSL traffic through Firewall to internal RMS servers (like OWA) Require authentication on all RMS requests Can do inspection of requests at firewall Deploy a dedicated RMS server in DMZ Extra deployment cost but added security Use a Virtual Private Network (VPN) Strongest security but least flexibility Business Communities Cross-certification 2 peer organizations need to exchange sensitive information with each other Fabrikam Corp RMS Cluster SQL NLB Contoso Pharma RMS Cluster SQL NLB MS Deployment Overview MSN Beta 2 servers live since 1/16/03 54,000 + unique machine activations Passport based RM account certification & licensing Exchange Dogfood Beta 2 servers since 1/24/03 for 3500 users 40,000 + licenses served. Content lives on. OTG Beta 2 servers live since 3/23/03 in 4 forests 20,000 + unique users of IRM in Office 11 in MS demo Trust Policy Management Key Takeways RMS is an enterprise class service вЂ“ plan accordingly Think enterprise wide web application deployment model Secure accounts, ACLs, SSL, HSMs Think early about roaming use and collaboration needs Learn More about RM Learn about RMS http://www.microsoft.com/rm Learn about the RM add-on http://www.microsoft.com/windows/ie/downloads/addon Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx evaluations В© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.