Rights Management Server and Exchange 2010 (Part 6)

By /

If you would like to read the first part in this article series please go to:

Introduction

We left part five of this article having looked at Outlook protection rules and if you read that part you will have seen that these rules offer a somewhat limited approach to ensuring that users have RMS templates applied to messages that they send or receive. It is clear that Outlook protection rules offer a small scale approach that may not necessarily be applicable to your messaging environment. If you are looking for a larger scale offering, or looking to automatically protect messages sent and received using Outlook Web App, transport protection rules may just be what you are looking for. Here in part six of this article we’ll be look at transport protection rules so let’s get going straight away.

Transport Protection Rules

Transport protection rules are Hub Transport rules that allow the application of an RMS template to a message, based on certain conditions. If you have created and managed transport rules before, you will already understand the overall process. Let’s look at how we might create a transport protection rule that ensures messages destined to anyone with an Active Directory department attribute set to a value of Human Resources has their messages protected with the RMS Do Not Forward template. Using transport protection rules not only ensures that users have no way of overriding the RMS protection, it also ensures that the RMS protection will apply to messages sent and received from both Outlook and Outlook Web App clients.

Let’s use the Exchange Management Console to create our transport protection rule. Here are the steps required.

  1. Run the Exchange Management Console and navigate to the Organization Configuration / Hub Transport node.
  2. Select the Transport Rules tab.
  3. From the action pane, choose the New Transport Rule option. This will invoke the New Transport Rule wizard.
  4. Enter a suitable name and description for your transport rule and ensure that the Enable Rule check-box is selected as shown in Figure 43. Click Next.


Figure 43: New Transport Rule Wizard Introduction Screen

  1. On the Conditions screen, select the option named “when a recipient’s properties contain specific words”.
  2. In the Step 2 window at the bottom of the Conditions screen, select the “properties contain specific words” link which will present you with the Specify words screen.
  3. On the Specify words screen, click the Add… button which will display the Add property and value window as shown in Figure 44. For the Property field, choose the department option. In the Value field, enter Human Resources. Click OK.


Figure 44: Configuring the Transport Protection Rule Conditions

  1. Back at the Specify words screen, click OK.
  2. The Conditions screen should now look like the screen shown in Figure 45. Click Next.


Figure 45: Transport Rule Wizard Conditions Screen

  1. On the Actions screen, select the option named “rights protect message with RMS template”.
  2. In the Step 2 window at the bottom of the Actions screen, select the “RMS template” link which will present you with the Select RMS template screen as you can see from Figure 46.


Figure 46: Selecting the RMS Template

  1. The Do Not Forward template should be available. Select this template and click OK, which will bring you back to the Actions screen as shown in Figure 47.


Figure 47: Transport Rule Wizard Actions Screen

  1. The Exceptions screen is presented next. We do not want any exceptions configured for now, so just click Next at this screen.
  2. The Create Rule screen is shown next and this displays an overall configuration summary. Review the selections made and when you’re happy with them, click the New button to create the transport protection rule.
  3. The Completion screen will then be displayed and, as usual, the Exchange Management Shell command to create this rule will be displayed so that you can create this rule via this method in the future.

The actual Exchange Management Shell command used to create this transport protection rule is:

New-TransportRule -Name ‘HR No Forward’ -Comments ‘Messages from users within the Human Resources department cannot be forwarded, copied or printed.’ -Priority ‘0’ -Enabled $true -RecipientADAttributeContainsWords ‘department:Human Resources’ -ApplyRightsProtectionTemplate ‘Do Not Forward’

As you can see from this command, the key parameter that identifies this as a transport protection rule is the ApplyRightsProtectionTemplate parameter. This is consistent with the New-OutlookProtectionRule cmdlet which uses a parameter of the same name.

Let’s now test this transport protection rule by sending a message from a user not in the Human Resources department (John) to a user who is in the Human Resources department (Neil). Hopefully we should see the RMS protection applied to the message as viewed in Neil’s inbox. First, John composes a message as shown in Figure 48 and you can see that no RMS template has been applied at this stage since there is no warning banner presented at the top of the message.


Figure 48: Composing a New Message Without an RMS Template Applied

Once John sends this message, it is submitted to a Hub Transport server and the transport protection rule that we created earlier is evaluated against the message. Since Neil is a member of the Human Resources department, the transport protection rule fires against this message resulting in the RMS Do Not Forward template being applied. Neil opens the message and can see that this is indeed the case. This is shown in Figure 49 where you can see that the Forward button has been greyed out. Additionally, the RMS notification text is clearly displayed. The option to print the email is also not available, as is the ability to copy the text although these two features are not shown in Figure 49.


Figure 49: Receiving a New Message With Transport Protection Rules Applied

Examining Transport Protection Rules

For those of you interested in such things, it is possible to examine the contents of transport protection rules using ADSIEdit. With ADSIEdit loaded, connect to the configuration naming context and navigate your way to Configuration / Services / Microsoft Exchange / {your Exchange organization name} / Transport Settings / Rules / TransportVersioned. This location is shown in Figure 50.


Figure 50: The TransportVersioned Object in ADSIEdit

If we bring up the properties of the Do Not Reply transport protection rule, we will get a window similar to the one shown in Figure 51. Note here that the output has been filtered to only show attributes that have a value, which is achieved by clicking the Filter button and selecting this option. The Do Not Reply transport protection rule is a custom rule that I have created to prevent users from replying to messages; we will cover how to create this rule in the next part of this article.


Figure 51: Properties of the Do Not Reply Transport Protection Rule

In Figure 51 one attribute of interest is highlighted, namely the msExchTransportRuleXml attribute. As its name suggests, this attribute contains the XML details of the rule itself. By pasting the contents of this attribute in Notepad, we can see the details of the XML and begin to understand what the rule actually does; this is shown in Figure 52. Note the 2nd ‘argument value’ listed under ‘action name’ – you will see that this is a Globally Unique Identifier (GUID) starting with 231aa152. This is the template GUID as shown in the properties of the rule when viewed in the Active Directory Rights Management Services snap-in, shown in Figure 53. It is not the actual GUID of the transport protection rule which you can obtain using the Get-TransportRule cmdlet.


Figure 52: XML Rule Properties


Figure 53: Rule Template GUID

Summary

That completes part six of this article where we’ve had a good look at transport protection rules and how they are used to enforce RMS protection for messages as they flow through a Hub Transport server. In part seven, we’ll be doing something slightly different and taking a look at how to create custom templates so that we can demonstrate something other than the ability to prevent emails from being forwarded.

If you would like to read the first part in this article series please go to:

About The Author

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top