Forum Discussion
Integration of IronPort Edge devices with AIP
MicrosoftPeterJNGL I don't know if this is related specifically to IronPort but it seems like your Exchange server is not enabled for AIP (Information Rights Management). Please review this document to see how to enable it and control the features:
https://docs.microsoft.com/en-us/office365/securitycompliance/manage-office-365-message-encryption
Hi Nir
It appears to have been something else but the question does still arise, if you wanted to allow a 3rd party edge device to inspect outbound and inbound mail that was protected with AIP it would need to have an ability to login into Azure AD as a superuser right and I'm talking in theory here 🙂
The same would apply to some 3rd party service that was stamping signatures on outbound e-mail correct?
- Nir HendlerTo integrate encryption and decryption capabilities by 3rd party apps and devices you can leverage the MIP SDK which provides you the required tools to achieve that.
I've been chatting to another colleague of yours about this and will take this discussion offline.. Ok if I email you directly?
PeterJNGL Two additional considerations: if a product integrates into the Exchange Server Transport pipeline (most email content scanning solutions do), they should be able to leverage the Transport Decryption functionality in Exchange, through which if their transport agent sits after the Transport Decryption agent and Exchange has Transport Decryption enabled, the third party solution receives decrypted versions of the email (Exchange itself has SuperUser privileges so it can decrypt the email for processing), without the solution having to have SuperUser itself, or use the SDK.
This is how most antimalware solutions work, for example: they sit after the transport decryption phase, so they see the content in decrypted form. Content is reencrypted before exiting the transport pipeline.
For all this you have to enable Exchange Server to integrate with AIP using the RMS Connector.
The other consideration is that this work for outbound protected email, and for inbound emails that are a reply to a protected outbound email. But if a third party protects email with their own key and sends it to you, you do not have the authority to use SuperUser privileges to decrypt someone else's content. So you cannot scan content protected by others at the transport layer (note that this is not the case in Exchange Online, since EXO has global superuser privileges for the purposes of content scanning so it can scan inbound protected content).
HTH
