Transport Rules in Exchange 2016
Exchange transport rules are used to look for specific conditions in messages that pass through the organization and take action on them. For example, we might require that certain types of messages be blocked or rejected in order to meet legal or compliance requirements, or to implement specific business needs.
Transport rules are similar to the Inbox rules that are available in Outlook or OWA. The main difference is that transport rules take action on messages while they are in transit as opposed to after the message is delivered. Transport rules also contain a richer set of conditions, exceptions and actions, which provides administrators with the flexibility to implement many types of messaging policies.
If we use the Exchange Admin Center in Exchange 2013 to create a new transport rule, these are the conditions and actions available to us:
While in Exchange 2016 (build 15.01.0225.042 at the time of writing this article) we get the following:
Yes, the conditions available seem to be exactly the same while for the actions we only get a new one (the last one listed)... Really?! No, there are several improvements to transport rules in Exchange 2016.
When we create a transport rule in Exchange 2016 and select the The message contains sensitive information condition as per the following screenshot:
We now have 80 different types of sensitive information that we can look out for (compared to 51 in Exchange 2013 CU8):
If we look at the example of Portugal Citizen Card Number, this is what Exchange 2016 will look for when we use this type:
|Definition||A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300 characters:
<!-- Portugal Citizen Card Number -->
<Entity id="91a7ece2-add4-4986-9a15-c84544d81ecd" recommendedConfidence="85" patternsProximity="300">
National ID Card
Cartão de Cidadão
Bilhete de Identidade
These types are extremely useful as they make it easy to find and act on particular types of sensitive information.
With the new condition Any attachment has these properties, including any of these words, a transport rule can match messages where the specified property of the attached Office document contains specified words. This condition makes it easy to integrate Exchange transport rules and DLP policies with SharePoint Server, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party classification system:
With the new action Notify the recipient with a message, a transport rule can send a notification to the recipient with the text we specify. Microsoft says that we can use this new action to, for example, “inform the recipient that the message was rejected by a transport rule, or that it was marked as spam and will be delivered to their Junk Email folder”. However, without being able to insert dynamic text into the notification text such as the sender or subject of the original message, I am struggling to find any use for this new action...
The action Generate incident report and send it to is not entirely new. However, in Exchange 2016 it has been updated so that the incident report can now be sent to multiple distribution lists.
Transport Rules on Edge Servers
Edge Transport servers handle all inbound and outbound Internet mail flow by providing mail relay and smart host services for the Exchange organization. Agents running on the Edge Transport server provide additional layers of message protection and security. These agents provide protection against viruses and spam and apply transport rules to control mail flow.
Because the Edge Transport server is installed in the perimeter network, it is never a member of an organization's internal Active Directory (AD) forest and does not have access to AD information. However, the Edge Transport server requires data that resides in AD such as connector information for mail flow and recipient information for antispam recipient lookup tasks. This data is synchronized to the Edge Transport server by the Microsoft Exchange EdgeSync service (EdgeSync). EdgeSync is a collection of processes run on an Exchange 2016 Mailbox server to establish one-way replication of recipient and configuration information from Active Directory to the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server. EdgeSync copies only the information that's required for the Edge Transport server to perform anti-spam configuration tasks and to enable end-to-end mail flow.
Part of this synchronized data is not Transport Rules, meaning transport rules we create on our “internal” servers do not get replicated to our Edge server(s). This is because Edge Transport rules are used to control the flow of messages sent to or received from the Internet and not internal mail flow. Edge Transport rules are configured on each Edge Transport server to help protect corporate network resources and data by applying an action to messages meeting specified conditions. Edge Transport rule conditions are based on data, such as specific words or text patterns in the message subject, body, header, or from address, the spam confidence level (SCL), or the attachment type. Actions determine how the message is processed when a specified condition is true. Possible actions include quarantining a message, dropping or rejecting a message, appending additional recipients, or logging an event.
The components of the Transport service on Edge Transport servers are identical to the components of the Transport service on Mailbox servers. However, what actually happens during each stage of processing on Edge Transport servers is different. In terms of transport rules, these are controlled by the Edge Rule agent. Compared to the Transport Rule agent on Mailbox servers, only a small subset of transport rule conditions are available on Edge Transport servers.
Conditions available only on Edge Transport servers:
|Condition name in Shell||Description|
|SubjectContains||This condition matches messages that contain the specified words in the Subject field.|
|SubjectOrBodyContains||This condition matches messages that contain the specified words in the Subject field or message body.|
|HeaderContains||This condition matches messages where the value of the specified message header contains the specified words.|
|FromAddressContains||This condition matches messages that contain the specified words in the From field.|
|AnyOfRecipientAddressContains||This condition matches messages that contain the specified words in the To, Cc, or Bcc fields of the message.|
|SubjectMatches||This condition matches messages where text patterns in the Subject field match a specified regular expression.|
|SubjectOrBodyMatches||This condition matches messages where text patterns in the Subject field or message body match a specified regular expression.|
|HeaderMatches||This condition matches messages where the specified message header field contains text patterns that match a specified regular expression.|
|FromAddressMatches||This condition matches messages that contain text patterns in the From field of the messages that match a specified regular expression.|
|AnyOfRecipientAddressMatches||This condition matches messages where text patterns in the To, Cc, or Bcc fields of the message match a specified regular expression.|
|SCLOver||This condition matches messages with an SCL that's equal to or greater than the value specified.|
|AttachmentSizeOver||This condition matches messages that contain attachments larger than the specified value.|
|FromScope||This condition matches messages that are sent from the specified scope.|
|MessageSizeOver||This condition matches messages when the message size is larger than or equal to the specified value.|
In this article we looked at what is new in Transport Rules with Exchange 2016. There is not much new, but the ability to look inside Office documents for certain properties or words, and the increase of sensitive information types we can look for are certainly great improvements.