Controlling Email Messages using Exchange’s Transport Rules

Some tasks that should have been easy in previous versions of Exchange just weren't. Now, with Transport Rules in Exchange 2007, administrators have a much improved set of tools to manage message flow.

Microsoft Exchange Server 2007: Controlling Email Messages using Exchange’s Transport Rules

As a long time Exchange administrator, one of the great frustrations I have found over the years has been how difficult certain seemingly trivial administrative tasks are to implement in Exchange Server. It is almost embarrassing to tell management that it is not that simple to add a disclaimer to outbound SMTP messages or insert text into the subject of certain messages or control message flow for compliance requirements.  

With Exchange Server 2007 Microsoft addresses many of these deficiencies by completely changing the underlying architecture. SMTP has been brought back into Exchange instead of extending the SMTP service in Internet Information Server (IIS). Arduous transport event sinks have been replaced by Transport Agents on the Hub Transport and Edge Transport roles. Transport rules are implemented in the Exchange 2007 architecture through Transport Agents. There is a Transport Rules Agent on all Hub Transport Servers and an Edge Transport Agent on all Edge Servers. Administrators now have a basic UI to control messages using Transport Rules – one of the killer features of the latest Exchange Server.

Focus of Transport Server Roles

Edge Transport Servers perform gateway services for an Exchange organization. They are somewhat independent sentries in the perimeter of corporate networks. As such, their function in terms of transport rules focuses on message hygiene and security. Edge servers are not domain members and have no direct access to Active Directory.

Hub Transport Servers, on the other hand, are integrated in the Windows domain infrastructure and have access to Active Directory. They handle messages that remain internal to the organization in addition to content arriving from or departing to an Edge Transport server. The focus of transport rules implemented on the Hub Transport role is geared toward policy enforcement and compliance.

Because of the different focus of transport rules between the Edge and Hub Transports, the actual set of rules varies between them.

Scope of Transport Server Roles

Edge Transport servers work alone. Transport rules on the Edge are stored in a somewhat portable subset of Active Directory called Active Directory Application Mode (ADAM). A special updating mechanism called EdgeSync is used to keep ADAM fairly current for Edge with user information from AD.  If there are multiple Edge servers in place, they do not share their instance of ADAM. Any updates must be performed separately to each Edge server. Different Edge Transport servers may control different connections to the Exchange organization or they may be clones of one to serve as redundant gateways for a single connection. Either way, Edge servers are not aware of each other, they are not members of the internal Exchange organization or Windows domain, and they operate independently.

By contrast, every single e-mail message sent in an Exchange 2007 organization must pass through at least one Hub Transport server. Even if the sender and recipient reside in the same database, the message leaves the store and passes through the transport pipeline on a hub transport server before returning to the mailbox server. Transport Rules are stored in Active Directory. This means (and this is important) that every Hub Transport server accesses the same set of transport rules. Messages sent through Exchange 2007 can not bypass transport rule processing! Historically, this has been a significant obstacle for administering an Exchange messaging infrastructure that meets regulatory compliance initiatives.

What types of messages do Transport Rules work against?

Almost every type of message that travels through the hub goes through transport rule processing. Standard e-mail messages with plain text, HTML, or RTF are all accessible by the transport rule agent. Transport rules do work for digitally signed messages and encrypted or opaque messages as well, but only aspects that it can access. A rule can still read the message header even if the message body has been encrypted.

Exchange 2007 Service Pack 1 added transport rule support for IPM.Note formatted messages, as you might see from applications that generate e-mail messages, as well as unified messaging e-mails, including voice mail messages, fax messages, and missed call notification messages.

Anatomy of a Transport Rule

Help Microsoft improve Transport Rules! Ben Neuwirth at Microsoft recently posted a blog entry publishing a script that can be run against your transport servers to return a statistical analysis outlining which predicates and actions you use most. The script does not collect any personal data and you can review it before emailing it to Ben. The entry is found here

Transport Rules are not all that different from Outlook Rules in their logic. Each rule is composed of at least one condition, an Action or Actions and optionally, one or more Exceptions. If no conditions are selected, then the rule will apply to ALL messages. Where there are multiple conditions, they all must be met; however, no matter how many exceptions there are, it only takes one to prevent the rule from firing.

536-Figure1_MMG_RG_TransportRuleFlow_CAE

Figure 1

Figure 1 shows this logical flow through a transport rule. Transport rules are quite flexible with a solid set of options.

536-Figure2_MMG_RG_S_TransportRulePredic

Figure 2

Figure 2 shows the various Conditions, Actions, and Exceptions for the Edge and Hub Transport Servers. When these predicates and actions are selected, there are variables to include, such as text, addresses, and other properties.

Unfortunately, you can not add your own actions or predicates to Microsoft’s transport rules interface.  You can develop your own custom transport agent to fulfil such a need, of course.

Regulatory Compliance

Many companies these days are required to assert greater control over their messaging solutions. Regulatory agencies in various countries demand certain e-mail communications be archived and discoverable. In addition, corporate policy may be designed to minimize liability exposure by providing employees with a working environment safe from harassment or loss of productivity through electronic communications. Transport Rules in Exchange 2007 provide rudimentary solutions to assist administrators in deploying effectively compliant messaging systems. For example, archiving sensitive information may be required in some jurisdictions. Who wants to be investigated by the UK Information Commissioner’s Office or the US Securities and Exchange Commission and not be able to provide the content they require?

Ethical Walls

Since every message must pass through a hub transport server, the hub becomes the point of message control for policy enforcement and compliance. Transport rules can fire on messages where senders or recipients belong to specific groups. This makes it easy to allow or prevent mail flow based on universal distribution group membership. A transport rule can prevent confidential email sent, either intentionally or accidentally, from the Finance department to a factory worker simply by restricting delivery of e-mail between those groups. This virtual blockade of e-mail communication between groups is referred to as an Ethical Firewall or Ethical Wall. A policy may be put in place to have CFO emails, which are often of a sensitive nature, blocked from being sent to factory workers. In the rare case where the CFO needs to send something, then perhaps the HR department can send that e-mail instead. Every company is different and Transport Rules provide some flexibility for securing the flow of e-mail for diverse scenarios. Ethical walls using Transport Rules reduce the potential for confidential information from getting into the wrong inbox.

Message Classifications

Message Classifications are not available to Outlook clients by default. Outlook 2007 clients require Message Classifications to be exported from AD and copied to the local registry on the workstation for Outlook to access. This manual process allows administrative control on who can apply classifications to messages.

With Exchange 2007 there is a special type of server-side message categorization called Message Classification, usable with OWA 2007 and Outlook 2007 clients. These are custom labels stored in Active Directory that can be applied to e-mail messages. Transport rules can either act upon messages with specific classifications or can assign a message classification to messages based on specific properties. Exchange 2007 actually has a few sample message classifications by default. These are not accessible through the EMC; however, they are fairly easily managed using the EMS.

To create a list of Message Classifications using the EMS type the following cmdlet:

This will generate a simple table as shown in Figure 3 where you can also identify a new Message Classification we added for Simple Talk articles.

536-Figure3_MMG_RG_MessageClassification

Figure 3

Working with Message Classifications goes beyond the scope of this article. More information can be found at the source of course: http://technet.microsoft.com/en-us/library/aa998271(EXCHG.80).aspx.

Creating a new Transport Rule

What permissions are needed to create Transport rules? Well just to see the transport rules, the administrator must be delegated at least the Exchange View-Only Administrator role. To create or modify existing transport rules, the administrator must have the Exchange Organization Administrator role.

As you probably already know, the Exchange Management Console (EMC) was built upon the Exchange Management Shell (EMS). Each action performed from the EMC holds an equivalent EMS cmdlet. Transport rules can be managed from either the EMC or the EMS. We will look at both options.

Whether you are creating a new transport rule on a Hub server or an Edge server, the process is very similar. We will walk through an example using the Hub Transport server where messages are copied to another mailbox based on keywords in the subject. On an internal Exchange 2007 server, the EMC has a few containers outlining menu options based on scope. Hub Transport rules are stored in Active Directory in the Exchange Configuration container, so they are replicated throughout the entire AD forest. Logically, Transport rules are thus managed using the Hub Transport option under the Organization container in the EMC as shown in the left pane in Figure 4.

536-Figure4_MMG_RG_ExchangeManagementCon

Figure 4

Also in Figure 4, you can see the Transport Rules tab in the center pane is selected.

To launch the wizard, click on the New Transport Rule option in the Action pane of the EMC.

536-Figure5_MMG_RG_NewTransportRule_Intr

Figure 5

Figure 5 shows the initial screen requiring a name for the rule. The description field is informational and optional and displayed in the EMC. The wizard walks through the conditions, actions, and exceptions for the new transport rule. For our example, the property that triggers the rule is the presence of the keywords ‘Red Gate’ or ‘Simple Talk’ in the message subject as shown in Figure 6.

536-Figure6_MMG_RG_NewTransportRule_Cond

Figure 6

 This condition will result in the message being copied to an article archive mailbox (see Figure 7) unless the message has been tagged with the Message Classification “Company Confidential” (see Figure 8).

536-Figure7_MMG_RG_NewTransportRule_Acti

Figure 7

536-Figure8_MMG_RG_NewTransportRule_Exce

Figure 8

The next window in the new rule wizard is a confirmation of what has been entered (see Figure 9).

536-Figure9_MMG_RG_NewTransportRule_Crea

Figure 9

Clicking New will complete the rule and present the EMS code that was used to create it (see Figure 10).

536-Figure10_MMG_RG_NewTransportRule_Com

Figure 10

A CTRL-C will copy this EMS command to the clipboard. In most places in the EMC, the cmdlet is complete; however, for transport rules, the variables are not displayed in the UI. They must be assigned manually if you are entering the transport rule using the New-TransportRule cmdlet. In our example, this command is as follows:

The last parameter sets a transport rule priority. Transport rules are applied in order of priority starting with ‘0’. Rules are added in the order they are created. It may be necessary to move a rule up the list and is controlled using the -priority parameter in EMS for either New-TransportRule or Set-TransportRule cmdlets. This is also easily done in the EMC by using Change Priority option in the Actions pane when the desired rule is selected.

536-Figure11_MMG_RG_EMC_ChangePriority.j

Figure 11

 Figure 11 shows the interface for entering a numerical priority from 0 (highest) to the number of rules less 1. Microsoft recommends a maximum of 1000 rules, mostly because that is where they stopped testing. This should be more than enough for most companies.

You modify existing transport rules in much the same way – either with the EMC or EMS. The EMS uses the Set-TransportRule cmdlet for updating rules. For a list of cmdlets for managing Transport rules in the EMS, see Get-Help as shown in Figure 12.

536-Figure12_MMG_RG_TransportRule_cmdlet

Figure 12

Backing up Transport Rules

Internally, Transport Rules reside in AD, so they are backed up with AD. If you are going to make significant changes to transport rules, you might want to backup the set currently in place first. The EMS cmdlet Export-TransportRuleCollection bundles all of the transport rules into a file which can be imported later if needed. Importing overwrites the existing rules. On an Edge Server, exporting the transport rules is used as a backup mechanism or to import them into other ‘cloned’ Edge Transport servers.

Summary

Exchange Server 2007 takes great steps forward in controlling messages and message transport from an administrator perspective. Some tasks that were challenging or required third party applications in previous versions of Exchange have been made more accessible through transport rules in Exchange 2007. With the Edge Server role concerned with security and the Hub Transport role focused on compliance and policy enforcement, Transport Rules provide a much improved set of tools for administrators to manage message flow in their Exchange organizations.  

Tags: , , , ,

  • 109448 views

  • Rate
    [Total: 2    Average: 2.5/5]
  • vreiner

    Lacking a “move to folder” action?
    I love the concept of the Transport Rules and I want to use them to move emails with a specific header tag to a folder in the user’s mailbox. However on Exchange 2010 this action is not available!! How can this basic and obvious action be missing?

    Is there a workaround?

  • risardi

    don’t know where to start troubleshooting
    william,

    found this article through google as I am not familiar with exchange rules. I installed SBS 2011 and set transport rules to file email to corresponding public folder as the company requires. It works only for 10 days then the rule stops working completely. Restart wouldn’t help. Remove and re-add rules didn’t either. So would you kindly share with me what I could do to troubleshoot the issue. Event Viewer describe nothing, otherwise, I wouldn’t be here, would I? 🙂

    Thank’s.