This article applies to:
- Trustwave SEG 8.2 and above
- Azure Information Protection Rights Management
Question:
- What setup is required for Azure Information Protection (AIP) with SEG?
- How do I get the AIP credentials and settings that I need to enter in SEG?
Procedure:
To set up AIP in SEG, you will need a Microsoft Azure account configured with AIP. This article assumes you have such an account.
Prerequisites
RMS Client
The RMS Client installer is linked from the prerequisites tab of the SEG installation autorun. You must install the RMS Client on all processing nodes.
SEG Product Key
The SEG Product Key must have Azure Information Protection enabled. Trial keys for SEG versions that support AIP include this feature. Customers who want to use this functionality should request a replacement key with the AIP entitlement enabled.
Information Needed
NOTE: To use the PowerShell commands described, you must use a minimum version of PowerShell and you must install certain modules. For details, see the Microsoft document Installing the AADRM PowerShell Module.
You will need to obtain values for the following fields required in SEG configuration:
- BposTenantId: Azure Tenant Id
- AppPrincipalId: Azure user to use with SEG with super-user rights
- Base64Key: Symmetric key for AppPrincipalId
- LicensingExtranetUrl: URL for retrieving use license, templates, and other items
- LicensingIntranetUrl: URL for retrieving use license, templates, and other items from Intranet locations.
- Typically the same as LicensingExtranetUrl
Getting the Tenant ID and Licensing Url
- As an administrator, run PowerShell with the appropriate modules installed (see note above)
- Import the RMS module: Import-Module AADRM
- Connect to the service, using Microsoft credentials that have appropriate permissions: Connect-AadrmService –Verbose
- Ensure RMS is enabled: Enable-AADRM
- Get your tenant ID by running: Get-AadrmConfiguration
Creating a Service Principal
A service principal is credentials configured globally for access control that allow a service to authenticate with Microsoft Azure AD and to protect information using Microsoft Azure AD Rights Management.
If you do not already have a service principal for SEG, follow the following steps:
- As an administrator, run PowerShell with the appropriate modules installed (see note above)
- Import the Microsoft Azure AD module using: Import-Module MSOnline
- Connect to your online service with the assigned user credentials: Connect-MsolService
- Create a new service principal by running: New-MsolServicePrincipal
- Provide a name for the Service Principal
- Record the results (symmetric key and AppPrincipalID)
Enabling the Super User feature
SEG requires super user feature to be able to decrypt all messages for the domain. To enable this for the created principal, follow the following steps:
- As an administrator, run PowerShell with the appropriate modules installed (see note above)
- Import the RMS module: Import-Module AADRM
- Connect to the service with the assigned user credentials: Connect-AadrmService –Verbose
- Enable the Aadrm super user feature: Enable-AadrmSuperUserFeature
- Add the Service Principal as a super user to Rights Management: Add-AadrmSuperUser -ServicePrincipalId <AppPrincipalId>
Next Steps
To enter the AIP settings and credentials, open the SEG Configurator or MailMarshal (SEG) 10 Management Interface and navigate to Trustwave SEG Properties > Azure Information Protection. For further instructions, see Help for that window.
