Transport Rules in Exchange 2016

by [Published on 1 Dec. 2015 / Last Updated on 1 Dec. 2015]

This article will explore what is new in Transport Rules with Exchange 2016 from Exchange 2013.

Introduction

Exchange transport rules are used to look for specific conditions in messages that pass through the organization and take action on them. For example, we might require that certain types of messages be blocked or rejected in order to meet legal or compliance requirements, or to implement specific business needs.

Transport rules are similar to the Inbox rules that are available in Outlook or OWA. The main difference is that transport rules take action on messages while they are in transit as opposed to after the message is delivered. Transport rules also contain a richer set of conditions, exceptions and actions, which provides administrators with the flexibility to implement many types of messaging policies.

If we use the Exchange Admin Center in Exchange 2013 to create a new transport rule, these are the conditions and actions available to us:

Image
Figure 1

Image
Figure 2

While in Exchange 2016 (build 15.01.0225.042 at the time of writing this article) we get the following:

Image
Figure 3

Image
Figure 4

Yes, the conditions available seem to be exactly the same while for the actions we only get a new one (the last one listed)... Really?! No, there are several improvements to transport rules in Exchange 2016.

Sensitive Information

When we create a transport rule in Exchange 2016 and select the The message contains sensitive information condition as per the following screenshot:

Image
Figure 5

We now have 80 different types of sensitive information that we can look out for (compared to 51 in Exchange 2013 CU8):

Image
Figure 6

If we look at the example of Portugal Citizen Card Number, this is what Exchange 2016 will look for when we use this type:

Format

Eight digits

Pattern

Eight digits

Checksum

No

Definition

A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300 characters:

  • The regular expression Regex_portugal_citizen_card finds content that matches the pattern.
  • A keyword from Keyword_portugal_citizen_card is found.

<!-- Portugal Citizen Card   Number -->

<Entity   id="91a7ece2-add4-4986-9a15-c84544d81ecd" recommendedConfidence="85" patternsProximity="300">

  <Pattern confidenceLevel="85">

     <IdMatch idRef="Regex_portugal_citizen_card"/>

     <Match idRef="Keyword_portugal_citizen_card"/>

  </Pattern>

</Entity>

Keywords

Citizen Card

National ID Card

CC

Cartão de Cidadão

Bilhete de Identidade

Table 1

These types are extremely useful as they make it easy to find and act on particular types of sensitive information.

Attachment Properties

With the new condition Any attachment has these properties, including any of these words, a transport rule can match messages where the specified property of the attached Office document contains specified words. This condition makes it easy to integrate Exchange transport rules and DLP policies with SharePoint Server, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party classification system:

Image
Figure 7

Notify Recipient

With the new action Notify the recipient with a message, a transport rule can send a notification to the recipient with the text we specify. Microsoft says that we can use this new action to, for example, “inform the recipient that the message was rejected by a transport rule, or that it was marked as spam and will be delivered to their Junk Email folder”. However, without being able to insert dynamic text into the notification text such as the sender or subject of the original message, I am struggling to find any use for this new action...

Image
Figure 8

Generate Incident

The action Generate incident report and send it to is not entirely new. However, in Exchange 2016 it has been updated so that the incident report can now be sent to multiple distribution lists.

Image
Figure 9

Transport Rules on Edge Servers

Edge Transport servers handle all inbound and outbound Internet mail flow by providing mail relay and smart host services for the Exchange organization. Agents running on the Edge Transport server provide additional layers of message protection and security. These agents provide protection against viruses and spam and apply transport rules to control mail flow.

Because the Edge Transport server is installed in the perimeter network, it is never a member of an organization's internal Active Directory (AD) forest and does not have access to AD information. However, the Edge Transport server requires data that resides in AD such as connector information for mail flow and recipient information for antispam recipient lookup tasks. This data is synchronized to the Edge Transport server by the Microsoft Exchange EdgeSync service (EdgeSync). EdgeSync is a collection of processes run on an Exchange 2016 Mailbox server to establish one-way replication of recipient and configuration information from Active Directory to the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server. EdgeSync copies only the information that's required for the Edge Transport server to perform anti-spam configuration tasks and to enable end-to-end mail flow.

Part of this synchronized data is not Transport Rules, meaning transport rules we create on our “internal” servers do not get replicated to our Edge server(s). This is because Edge Transport rules are used to control the flow of messages sent to or received from the Internet and not internal mail flow. Edge Transport rules are configured on each Edge Transport server to help protect corporate network resources and data by applying an action to messages meeting specified conditions. Edge Transport rule conditions are based on data, such as specific words or text patterns in the message subject, body, header, or from address, the spam confidence level (SCL), or the attachment type. Actions determine how the message is processed when a specified condition is true. Possible actions include quarantining a message, dropping or rejecting a message, appending additional recipients, or logging an event.

The components of the Transport service on Edge Transport servers are identical to the components of the Transport service on Mailbox servers. However, what actually happens during each stage of processing on Edge Transport servers is different. In terms of transport rules, these are controlled by the Edge Rule agent. Compared to the Transport Rule agent on Mailbox servers, only a small subset of transport rule conditions are available on Edge Transport servers.

Conditions available only on Edge Transport servers:

Condition name in Shell

Description

SubjectContains

This condition matches messages that contain the specified words in the Subject field.

SubjectOrBodyContains

This condition matches messages that contain the specified words in the Subject field or message body.

HeaderContains

This condition matches messages where the value of the specified message header contains the specified words.

FromAddressContains

This condition matches messages that contain the specified words in the From field.

AnyOfRecipientAddressContains

This condition matches messages that contain the specified words in the To, Cc, or Bcc fields of the message.

SubjectMatches

This condition matches messages where text patterns in the Subject field match a specified regular expression.

SubjectOrBodyMatches

This condition matches messages where text patterns in the Subject field or message body match a specified regular expression.

HeaderMatches

This condition matches messages where the specified message header field contains text patterns that match a specified regular expression.

FromAddressMatches

This condition matches messages that contain text patterns in the From field of the messages that match a specified regular expression.

AnyOfRecipientAddressMatches

This condition matches messages where text patterns in the To, Cc, or Bcc fields of the message match a specified regular expression.

SCLOver

This condition matches messages with an SCL that's equal to or greater than the value specified.

AttachmentSizeOver

This condition matches messages that contain attachments larger than the specified value.

FromScope

This condition matches messages that are sent from the specified scope.

MessageSizeOver

This condition matches messages when the message size is larger than or equal to the specified value.

Table 2

Conclusion

In this article we looked at what is new in Transport Rules with Exchange 2016. There is not much new, but the ability to look inside Office documents for certain properties or words, and the increase of sensitive information types we can look for are certainly great improvements.

See Also


The Author — Nuno Mota

Nuno Mota avatar

Nuno is an Exchange MVP working as a Senior Microsoft Messaging Consultant for a UK IT Services Provider in London. He specializes in Exchange, Lync, Active Directory and PowerShell.

Advertisement

Featured Links