Getting to Know Transport Rules in Exchange 2007
By David Strome
E-mail is becoming an ever more important means of communication within and between organizations and between individuals. E-mail is also one of the most versatile communication media available to us because it lets us exchange text and voice messages, pictures, documents, and other files almost instantly. E-mail messages can contain anything from a child's birthday party plans, an agreement that closes a multi-billion dollar deal, or a super-secret design for the next-generation automobile engine. Such a powerful tool obviously provides an enormous benefit. It can also cause significant damage if misused.
In Microsoft Exchange Server 2007, we have introduced transport rules to help you control the flow of e-mail messages in your organization. A transport rule is a concept that implements a single function point of a transport messaging policy. A transport rule contains conditions as to when to trigger this rule and an ordered set of actions as to what to do if the rule is triggered. Additionally, each transport rule can have exceptions that specify what to exclude from the condition. Exceptions typically determine a subset of criteria identified in the condition. If you use transport rules, you can specify what information you don't want to enter or leave the organization, which individuals or groups shouldn't be able to communicate with one another, how messages are handled based on how they are classified by the sender, and more.
In this article, I explain what Exchange 2007 transport rules are, how they work, and how you can use them to benefit your organization. I cover the following:
How Transport Rules Work Which server roles do transport rules run on? What are the different parts of transport rules, and how do transport rules behave on each server role?
How to Administer Transport Rules What management interfaces are available to administer transport rules? I provide examples and screenshots of the same transport rule in the Exchange Management Console and the Exchange Management Shell to help you understand how each management interface is used.
Putting Transport Rules to Work I provide some examples of how you can use transport rules to benefit your organization.
How Transport Rules Work
First, it's important to understand that transport rules in Exchange 2007 run in two places: on servers that have the Hub Transport server role installed and on servers that have the Edge Transport server role installed. The following list describes the purpose of transport rules on each server role:
Hub Transport Transport rules that run on Hub Transport servers help you apply compliance-based and policy-based rules to all messages that flow through an Exchange 2007 organization. All Hub Transport servers share the same transport rule configuration.
Edge Transport Transport rules that run on Edge Transport servers help you manage antivirus problems. Edge Transport servers do not share transport rule configuration with other servers and must be configured individually.
I'll talk more about transport rules on Hub Transport and Edge Transport servers in the "Transport Rules on Hub Transport Servers" and "Transport Rules on Edge Transport Servers" sections later in this section. The information in the "Anatomy of a Transport Rule" section applies to transport rules on both server roles.
For more information about server roles in Exchange 2007, see Overview.
Anatomy of a Transport Rule
Transport rules consist of a condition, an exception, and an action. Most transport rules have at least one condition and at least one action. You can also use exceptions to better target transport rules to specific messages. However, both conditions and exceptions are optional. Actions, on the other hand, are required. The following list describes conditions, exceptions, and actions:
Conditions Transport rule conditions are used to indicate which e-mail message attributes, headers, recipients, senders, or other parts of the message are used to identify the e-mail messages to which a transport rule action should be applied. All the conditions that you configure on a transport rule must be matched for the transport rule action to be applied. If you don't configure any conditions on a transport rule, the configured transport rule action is applied to all messages the transport rule encounters.
For a list of conditions that you can use with transport rules, see Transport Rule Predicates.
Exceptions Transport rule exceptions resemble transport rule conditions. However, unlike transport rule conditions, exceptions identify the e-mail messages to which a transport rule action should not be applied. Transport rule exceptions override conditions and prevent a transport rule action from being applied to an e-mail message, even if the message matches all configured transport rule conditions. Only one transport rule exception has to be matched to override any transport rule conditions that have been matched.
For a list of exceptions that you can use with transport rules, see Transport Rule Predicates.
Actions Actions are applied to e-mail messages that match all the conditions and none of the exceptions that are present on transport rules. Each action affects e-mail messages in a specific way, from redirecting the e-mail message to another address to dropping the message.
For a list of actions that you can use with transport rules, see Transport Rule Actions.
You probably noticed the term predicates in the link titles in this section. Conditions and exceptions use predicates to define what part of an e-mail message the conditions and exceptions examine as they determine whether the transport rule should be applied to that message.
For more information about conditions, exceptions, and actions, see Understanding How Transport Rules Are Applied in an Exchange 2007 Organization.
Transport Rules on Hub Transport Servers
As I mentioned earlier, transport rules that run on Hub Transport servers are designed to help you manage compliance-related and policy-related issues. The conditions and exceptions that are available on Hub Transport servers query the Active Directory directory service, thus enabling you to reference distribution groups and other recipient objects and message classifications for ease of administration. For example, you can use distribution groups together with transport rules to easily customize a transport rule to address a business need such as controlling which groups can communicate with one another by e-mail.
Because Exchange 2007 stores the configuration of transport rules that reside on Hub Transport servers in Active Directory, all the Hub Transport servers in your organization have access to the same transport rule configuration. This means that you only have to configure a transport rule on one Hub Transport server. The transport rule configuration is replicated through Active Directory to all other Hub Transport servers in your organization automatically. This ensures that all Hub Transport servers in your organization are using the same transport rule configuration.
Replication of transport rules across an organization depends on Active Directory replication. Replication time between Active Directory domain controllers varies depending on the number of sites in the organization, slow links, and other factors outside the control of Exchange.
For more information, see the following topics:
Transport rules on Hub Transport servers See the "Transport Rules Agent" section in Overview of Transport Rules.
Transport rule replication See the "Transport Rule Replication" section in Understanding How Transport Rules Are Applied in an Exchange 2007 Organization.
Transport Rules on Edge Transport Servers
Transport rules that run on Edge Transport servers are designed to help you manage the number of unwanted messages that enter your organization. Therefore, the set of conditions, exceptions, and actions on an Edge Transport server differs from the set that is available on Hub Transport servers. If your internal network is compromised, the Edge Transport rule agent can also apply the same or different rules to outgoing messages. Transport rules that run on Edge Transport servers are especially helpful during a new virus outbreak when antivirus definition files have not yet been updated to detect the new virus. If infected messages have known patterns that can be detected, you can configure transport rules on Edge Transport servers to block the messages from entering or leaving your organization.
Edge Transport servers each contain their own settings and do not replicate that configuration to other Edge Transport servers or back to Hub Transport servers in the Exchange 2007 organization. Also, while some configuration is replicated by using the Microsoft Exchange EdgeSync service from Hub Transport servers to Edge Transport servers, the transport rule configuration is not included. Therefore, if you have multiple Edge Transport servers and you want the same transport rules on each server, you must configure the transport rules on each Edge Transport server.
For more information about transport rules on Edge Transport servers, see the "Edge Rules Agent" section of Overview of Transport Rules.
How to Administer Transport Rules
You can administer transport rules by using the Exchange Management Console and the Exchange Management Shell on Hub Transport servers and Edge Transport servers. However, remember that the conditions, exceptions, and actions that are available on each server role are different.
As I mentioned earlier, when you configure transport rules on a Hub Transport server, the transport rules configuration is replicated to all the Hub Transport servers in your organization through Active Directory. When you configure transport rules on an Edge Transport server, the transport rules are modified only on the local Edge Transport server.
In the Exchange Management Console
In the Exchange Management Console, you can create and modify transport rules by using the Transport Rule wizard that functions much like Rules and Alerts in Microsoft Outlook. You can continue through the wizard pages and on each page, select conditions, actions, and then exceptions to build your transport rule. The following figure shows a rule constructed by using the Transport Rule wizard on a Hub Transport server:
Transport Rule wizard on a Hub Transport Server
For more information about how to configure a transport rule, see Managing Transport Rules.
In the Exchange Management Shell
The Exchange Management Shell is a new administrative interface available in Exchange 2007. The Exchange Management Shell lets you administer any Exchange 2007 feature. This includes some that can't be administered by using the Exchange Management Console.
For more information about the Exchange Management Shell, see Using the Exchange Management Shell.
In the Exchange Management Shell, you can create and modify transport rules by using several commands that, when they are run, create or modify a transport rule. Each command builds on the previous command to construct the conditions, exceptions, and actions that make up a transport rule. The following figure shows the transport rule that was constructed by using the Transport Rule wizard on a Hub Transport server in the earlier figure, but in this figure, the rule is created by using the Exchange Management Shell on a Hub Transport server.
Hub Transport server transport rule commands in the Exchange Management Shell
For more information about how to configure a transport rule, see Managing Transport Rules.
Because Edge Transport servers do not replicate settings between one another, it can be time-consuming to manually duplicate transport rule configurations on each Edge Transport server. However, you can use the Export-TransportRuleCollection and Import-TransportRuleCollection cmdlets to more easily duplicate transport rule configurations on multiple Edge Transport servers.
When you run the Export-TransportRuleCollection cmdlet on an Edge Transport server, the transport rule configuration for that server is saved to an XML file. You can then use the Import-TransportRuleCollection cmdlet to copy and import this XML file to other Edge Transport servers. When you use the Import-TransportRuleCollection cmdlet to import the transport rule configuration stored in the XML file, any preexisting transport rules that were configured on that Edge Transport server are overwritten.
If you use the Import-TransportRuleCollection cmdlet on a Hub Transport server, the transport rule configuration for all the Hub Transport servers in the whole organization is overwritten. Make sure that you use the Export-TransportRuleCollection cmdlet on a Hub Transport server first to back up the current Hub Transport rule configuration.
Putting Transport Rules to Work
You can use transport rules in a wide variety of situations that require that an action be performed on messages. Some organizations may want messages to specific individuals forwarded to another mailbox, while other organizations may want actions performed based on classifications set by the sender. And other organizations may want messages from specific domains just dropped without any indication to either recipient or sender. Transport rules enable all this functionality and more.
The following sections describe some common scenarios that use transport rules.
An ethical wall is a zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive information.
You can use transport rules to create an ethical wall between recipients and senders in your organization. When an ethical wall transport rule is created and senders try to send messages to recipients on the other side of the ethical wall, the message is rejected and a non-delivery report (NDR) is returned to the sender. For more information about ethical walls, see the following topics:
Threats from Viruses
New viruses threaten organizations everyday. Antivirus vendors and administrators must react to these virus threats as soon as possible to minimize the damage caused by viruses.
An administrator can use transport rules that run on Edge Transport servers to detect a message that has characteristics that the administrator has specified to determine whether the message is infected by a virus. When you create transport rules to look for specific characteristics, you can provide additional protection to your organization while you wait for antivirus vendors to provide a solution.
For more information about how to use transport rules to help manage antivirus threats, see Configuring Edge Transport Rules to Manage Viruses.
Disclaimers are blocks of text that can be prepended or appended by transport rules to messages that pass through Hub Transport servers. Disclaimers typically contain handling instructions or information that an organization wants applied to any message that enters or leaves the organization or is sent to, from, or between recipients and senders.
Because you use transport rules to apply disclaimers, you can use all the conditions and exceptions available on Hub Transport servers to control which messages disclaimers are applied to.
For more information about how to use transport rules to add disclaimers to messages, see How to Configure a Disclaimer.
I hope this article helps you see how flexible and powerful transport rules in Exchange 2007 can be. Never before have you been able to take such control of information as it travels through your Exchange organization. I encourage you to test transport rules in a lab to see how they can help you manage information in your organization.
David Strome - Technical Writer, Microsoft Exchange Server