Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
Enabling transport decryption allows the Transport Rules agent on Hub Transport servers to access content in messages protected by Information Rights Management (IRM). As a result, other transport agents can access message content and possibly make changes to it. For example, the Transport Rules agent may need to inspect message content and apply transport rules (such as rules that apply a disclaimer to the message). To successfully decrypt IRM-protected messages, you must add the Federated Delivery mailbox to the super users group configured on your Active Directory Rights Management Services (AD RMS) server.
Important: |
---|
Members of the super users group are granted an owner use license when they request a license from the AD RMS cluster. This allows them to decrypt all RMS-protected content created by that AD RMS cluster. |
When enabling transport decryption, you can specify the following settings:
- Mandatory Rejects messages that can't
be decrypted and returns a non-delivery report (NDR) to the
sender.
- Optional Uses a best-effort approach to
decryption. If possible, messages are decrypted, but they're
delivered even if decryption fails.
To learn more about transport decryption, see Understanding Transport Decryption.
Looking for other management tasks related to IRM? Check out Managing Information Rights Management.
Prerequisites
- An AD RMS server exists in the Active Directory forest and
is accessible.
- The Federated Delivery mailbox has been added to the
AD RMS super users group. For details, see Add the Federation
Mailbox to the AD RMS Super Users Group.
Use the Shell to enable transport decryption
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.
Note: |
---|
You can't use the EMC to enable transport decryption. |
This example enables transport decryption for the Microsoft Exchange Server 2010 organization. Messages that can't be decrypted are rejected, and an NDR is returned to the sender.
Copy Code | |
---|---|
Set-IRMConfiguration -TransportDecryptionSetting Mandatory |
For detailed syntax and parameter information, see Set-IRMConfiguration.
Use the Shell to disable transport decryption
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Rights protection" entry in the Messaging Policy and Compliance Permissions topic.
Note: |
---|
You can't use the EMC to disable transport decryption. |
This example disables transport decryption for the Exchange 2010 organization.
Copy Code | |
---|---|
Set-IRMConfiguration -TransportDecryptionSetting Disabled |
For detailed syntax and parameter information, see Set-IRMConfiguration.
Other Tasks
After you enable or disable transport decryption, you may also want to: