Regulatory and best practices are driving
organizations to create an increasing number of policies with regard to
electronic messaging traffic. Organizations are required to enforce
policies and ensure that all email complies with those policies. The
Exchange 2007 Hub Transport server aids organizations in instantiating
and enforcing those policies.
Some of the questions that organizations ask include the following:
Is there a way to enforce corporate or regulatory email mandates?
Can messages be identified for long-term document retention?
Can the organization transmit confidential messages?
Can the organization journal communications between individuals and groups?
Can the organization add disclaimers to particular messages?
Can the organization restrict messages by attachment size or type?
Can certain messages be rejected by content or attachment name?
The Hub Transport server provides the answers to all of these questions.
Three
transport agents built in to the Hub Transport role help provide this
functionality: the transport rule agent, journaling agent, and AD RMS
Prelicensing agent.
Transport Rules
This
is a powerful tool for controlling message flow in the Exchange 2007
organization. Rules contain conditions, exceptions, and actions. They
are stored in AD and are applied by the transport rule agent on all Hub
Transport servers in the Exchange 2007 organization. This is different
than for the Edge Transport servers, which each store their own
transport rules. The Hub Transport rule conditions, exceptions, and
action options are targeted at organizational policy and compliance.
Note
Transport
rules allow the construction of what is termed ethical walls. This is a
zone of noncommunication or restricted communication between distinct
departments of a business or organization to prevent conflicts of
interest that might result in the inappropriate release of sensitive
information. For example, a large real estate organization might build
an ethical wall between two business units that compete for the same
clients.
For example,
suppose an organization has a security policy that prohibits the users
from sending passwords over email. So, the rule will key on the word
“password” in various spellings (the condition). The rule does not
interfere with the transmission, but does blind carbon copy (BCC) a
security administrator to review the message (the action) and allow him
to decide if there has been a violation of security policy.
To create the new transport rule, execute the following steps:
1. | From the Exchange Management Console, expand the Organization folder and select the Hub Transport folder.
|
2. | In the actions pane, select New Transport Rule.
|
3. | Enter in a name for the rule, such as Password Email Capture Transport Rule.
|
4. | Click Next.
|
5. | Select the condition, in this case When the Subject Field or the Body of the Message Contains Specific Words.
|
6. | Specify the values by clicking on the blue, hypertext “Specific Words” text.
|
7. | Add “Password”, “password”, and “PASSWORD” into the word list, and click OK.
|
8. | The words are displayed in the rule description.
|
9. | Click Next.
|
10. | Select the action to take by checking the appropriate box, in this case Blind Carbon Copy (Bcc) the Message to Address.
|
11. | In the rule description pane, click the blue hypertext to select a recipient.
|
12. | Select a recipient and click OK.
|
13. | Click Next.
|
14. | Leave the exceptions blank and click Next.
|
15. | Click New to create the transport rule.
|
16. | Click Finish to exit the wizard.
|
The
rule will now BCC any message sent anywhere in the Exchange
organization that contains the word “password” to the selected
recipient.
After creation, rules take effect immediately. Rules can be disabled, edited, or removed after creation as well.
Note
Even
though transport rules take effect immediately, the Hub Transport
server relies on the recipient cache for recipient and distribution
list information. This is updated every 4 hours, by default. Thus,
changes to the distribution lists referenced in the transport rules
might not be reflected for up to 4 hours.
Transport
rules are stored in Active Directory. They are also replicated via
Active Directory to all Hub Transport servers in the organization for
consistency. The rules are stored in the Configuration partition under
Service, Microsoft Exchange, <Organization Name> Transport
Settings, Rules, Transport. Each rule is stored as a separate object in
AD, which has the same name as the rule.
