3. Transport and Journal Report Decryption
Exchange Server 2010 can
also be configured to decrypt IRM-protected content, to allow for
content scanning, applying disclaimers, facilitating discovery
searches, and allowing the journaling of decrypted copies of messages.
3.1. Transport Decryption
Transport decryption
provides the ability for you to enforce messaging policies access on
IRM-protected messaging content by allowing access to the content by
agents in the transport pipeline. When enabled, IRM-protected messages are decrypted by the Decryption agent; only messages protected with the AD RMS clusters in your organization can be decrypted. The Decryption agent is a built-in transport agent; built-in agents are not returned in the output of the Get-TransportAgent cmdlet.
Messages that have been IRM protected using transport rules do not need to be decrypted by the Decryption agent; the transport rules apply protection when fired by the OnRoutedMessage event, whereas the decryption agent fires on the OnEndOfData and OnSubmit transport events.
Note:
After
the Decryption agent decrypts the message, it is available to custom or
third-party agents that are installed on the Hub Transport server so
that these agents can perform their actions on the message. Although
the message is always encrypted again before leaving the Hub Transport
server, you need to test the behavior of these custom or third-party
agents before deploying them in a production environment.
For
example, if the actions of a custom or third-party agent cause a new
message to be created and the original message to be attached to it,
only the new message is re-encrypted; the original attached message is
left unencrypted. This means that the final recipients of the new
message have access to the original message in an unprotected state,
and can take any action they wish with it, such as cutting, copying,
printing, or forwarding it.
If an error occurs while
decrypting a message, or re-encrypting it before the message is passed
on, the Hub Transport server attempts the action twice more. If the
third attempt fails, the Hub Transport considers this a permanent error
and takes the following action:
If the permanent error occurred during decryption and if transport decryption is set to Mandatory, an NDR is sent that includes the encrypted message. If transport decryption is set to Optional, no action is taken and the message is delivered even if decryption fails.
An NDR is always returned if the permanent error occurs during re-encryption; this NDR never includes the decrypted message.
To configure transport decryption, the Federated Delivery Mailbox must be granted Super Users privileges for your AD RMS cluster; this is covered in detail in the Section 5 section of this article. When Super Users privileges have been configured, enable transport decryption using the Set-IRMConfiguration cmdlet. The following example enables transport decryption and rejects messages that can't be decrypted, returning an NDR to the sender:
Set-IRMConfiguration -TransportDecryptionSetting Mandatory
The acceptable values for TransportDecryptionSetting are Mandatory, Optional, or Disabled.
3.2. Journal Report Decryption
If your
organization uses premium journaling, any messages protected with IRM
may need to be journaled unencrypted to enable successful discovery of
that content in the event of a legal or regulatory discovery request.
When enabled, journal report decryption saves a clear-text copy of the
IRM-protected message in the journal report along with the original
IRM-protected message.
Note:
Journal report decryption only supports premium journaling, and thus requires an Exchange Enterprise client access license (CAL).
The decryption of the IRM-protected message is performed by the Journal Report Decryption agent, a built-in transport agent. This agent fires on the OnCategorizedMessage event while transport rules protect messages with IRM on the OnRoutedMessage event, before the Journal
Report Decryption agent sees them. Thus, messages protected by
transport rules are decrypted again by the Journal Report Decryption agent. Similar to transport decryption, the Journal Report Decryption agent only decrypts messages IRM protected by the AD RMS cluster in your organization.
Generally, only sensitive information is protected with IRM, so when you enable journal report decryption
the journaling mailbox may contain sensitive information that is not
encrypted. Best practice thus dictates that access to the journaling
mailbox be monitored closely and access allowed only to authorized
individuals.
As with transport decryption, the Federated Delivery Mailbox must be granted Super Users privileges for your AD RMS cluster before journal report decryption can be enabled; this is covered in detail in the Section 8.7.2.5 section of this chapter. After Super Users privileges have been configured, journal report decryption is enabled using the Set-IRMConfiguration cmdlet:
Set-IRMConfiguration -JournalReportEncryptionEnabled $true