This session was an interactive session, meaning it was in a small room, and most of the discussion was directed by questions. I thought it was very enlightening, and I learned a lot of good information about the integration between RMS and Exchange 2010/SP1. Integration is very easy and seamless. Once you configure your RMS server, all of the Exchange integration is pretty much automatic and merely consists of selecting what template to use for a given situation. I don’t think it could get much easier.
– Exchange 2010 enables automatic protection of email messages and consumption of RMS protected messages in a variety of ways:
1. Transport rules – Configure granular rules to automatically apply RMS templates to messages that meet prescribed conditions. Conditions can include DLs, subject/body text, regular expressions, and dozens of other options. Extremely customizable. For example, you could setup a regular expression to search the body of a message for a string like “Company confidential” and not allow the message to be sent to external recipients. Or you could configure rules such that messages between two groups in your organization are always encrypted and you can’t forward them. The sky is the limit on how creative you can be with the conditions, actions, and templates.
2. E-Discovery – Journaled messages have the original RMS protected message and a decrypted version attached to the message. All RMS protected messages are indexed. This preserves the original message for compliance purposes, but also allows authorized e-discovery users to read the contents.
3. Extended to OWA and mobile devices – Seamless integration with OWA to set RMS policies and access protected messages. Mobile device support is up to the phone provider, but is enabled via Exchange Active Sync. Within OWA you can search RMS protected messages. iPhone support for RMS messages is TBD. Windows mobile 6.0 and 6.5 will support this feature.
4. Transport Decryption – Early in the transport pipeline messages are decrypted, transport rules applied, third party products can scan messages (such as anti-virus), then the message is re-encrypted before it leaves the transport server. This allows any transport functionality such as adding disclaimers, anti-virus scanning, or other products to access the contents of the message. RMS protected messages are now first class citizens in Exchange.
– Outlook 2010 supports automatic protection rules. Unlike transport rules, Outlook protection rules apply content restrictions/encryption at the Outlook client before the message goes over the wire. The message is then protected in the user’s sent items folder as well. Transport decryption applies to these messages, so they are still scanned by AV and subject to content inspection rules. But the RMS template applied at the client is honored through the entire message delivery path and is not removed.
To get the full functionality of this ecosystem, you need Exchange 2010, Outlook 2010, and RMS running on Windows Server 2008 SP2 or Server 2008 R2. Most of the functionality is supported on down-level Outlook clients like 2003 and 2007, except for the Outlook automatic protection feature.
As a side note, advanced transport features such as message moderation are honored. Message moderation is where a transport rule invokes a work flow that requires a user or group of users to approve the sending of a message before the recipient(s) can read it. For example, if you are in a financial institution you could require message moderation for any messages between your stock traders and your investment brokers. Sometimes you hear these restrictions described as an ethical firewall. Transport rules could also completely block such communications, as well.
One caveat is that when using Outlook in cached mode you cannot search RMS protected messages. If Outlook is operating in online mode, or using OWA, you can search protected messages. This may change in future versions or service packs of Office.
