Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

You can use transport protection rules to apply persistent rights protection to messages based on message properties such as sender, recipient, message subject, and content.

Caution:
Before you create transport rules in your production environment, use a test environment to learn how to create transport rules and test them thoroughly. The transport rules created in this topic are examples. You can create transport rules by using the appropriate transport rule predicates and values based on your requirements.
Important:
If you configure transport protection rules to protect messages using Information Rights Management (IRM), and you also use journaling, consider enabling journal report decryption to allow the Journaling agent to save an unencrypted copy of the message in the journal report. For more information, see Understanding Journal Report Decryption.

Looking for other management tasks related to IRM? Check out Managing Information Rights Management.

Prerequisites

A server running Active Directory Rights Management Services (AD RMS) is available in your organization.

Important:
After you create a transport protection rule, if the rule can't be applied to messages because an AD RMS server is unavailable, messages will be queued on Hub Transport servers. Depending on the volume of these messages, additional disk space may be consumed on Hub Transport servers. Exchange will attempt to IRM-protect the message three times. After these attempts, if the AD RMS server is unreachable or the message can't be IRM-protected, a non-delivery report (NDR) is sent to the sender.

Use the EMC to create a transport protection rule

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.

  1. In the console tree, navigate to Organization Configuration > Hub Transport.

  2. In the action pane, click New Transport Rule.

  3. On the Introduction page, complete the following fields:

    • Name   Type a name for the transport rule.

    • Comments   (optional) You can use this field to describe the rule's functionality, and relevant details such as a change request or trouble ticket number, date, and name of the administrator. Text in this field has no impact on rule functionality.

    • Enabled   New rules are enabled by default. If you want the rule to be created in a disabled state, clear the check box.

  4. On the Conditions page, complete the following fields:

    1. In the Step 1. Select Condition(s) box, select all the conditions that you want to apply to this rule.

      Important:
      If you don't select any conditions when creating a transport protection rule, all messages handled by servers running Microsoft Exchange Server 2010 with Hub Transport servers installed in your organization are IRM-protected. IRM-protecting all messages requires more resources. Therefore, we recommend that you plan your Hub Transport servers and AD RMS deployment accordingly.
    2. If you selected conditions in the Select Conditions box, in the Step 2. Edit the rule description by clicking an underlined value box, click each blue underlined word.

    3. When you click a blue underlined word, a window opens to prompt you for the values to apply to the condition. Select the values that you want to apply, or type the values manually. If the window requires that you manually add values to a list, type a value, and then click Add. Repeat this process until you have entered all the values, and then click OK to close the window.

    4. Repeat the previous step for each condition that you selected. After you configure all the conditions, click Next.

  5. On the Actions page, complete the following fields:

    1. In the Step 1. Select actions box, select rights protect message with RMS template.

    2. In the Step 2: Edit the rule description by clicking an underlined value box, click the underlined words RMS template.

    3. In the Select RMS template dialog box, select an available RMS template, and then click OK.

  6. (Optional) On the Exceptions page, select an exception you want to use, and then type the appropriate value if required.

  7. On the Create Rule page, review the Configuration Summary to make sure the predicates and values used in the conditions and any exceptions appear as expected. Make sure the RMS template selected is the one you intend to use.

  8. Click New to create the transport rule.

  9. On the Completion page, review the following, and then click Finish to close the wizard:

    • A status of Completed indicates that the wizard completed the task successfully.

    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Use the Shell to create a transport protection rule

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.

To create a transport protection rule, you must have rights management templates created in your AD RMS deployment. This example retrieves the available templates from your AD RMS cluster.

Copy Code 
Get-RMSTemplate | fl

This example creates the transport protection rule Protect-BusinessCriticalProject. The rule IRM-protects messages that contain the phrase "Business Critical" in the Subject field with the Do Not Forward template.

Note:
The SubjectContainsWords value is used in this example. You can use any combination of transport rule values to form the conditions and exceptions for the rule.
Copy Code 
New-TransportRule -Name "Protect-BusinessCriticalProject" -SubjectContainsWords "Business Critical" -ApplyRightsProtectionTemplate "Do Not Forward"

For detailed syntax and parameter information, see Get-RMSTemplate and New-TransportRule.

Other Tasks