Applies to: Exchange Server 2013
Topic Last Modified: 2012-12-04
You can use transport protection rules to apply persistent rights protection to messages based on properties such as sender, recipient, message subject, and content.
|Before you create transport rules in your production environment, we recommend creating them in a test environment and testing them thoroughly. The transport rules created in this topic are examples. You can create transport rules by using the appropriate transport rule predicates and values based on your requirements.|
For additional management tasks related to Information Rights Management (IRM), see Information Rights Management Procedures.
What do you need to know before you begin?
- Estimated time to completion: 2-5 minutes.
- You need to be assigned permissions before you can perform this
procedure or procedures. To see what permissions you need, see the
"Transport rules" entry in the Messaging Policy and
Compliance Permissions topic.
- A server running Active Directory Rights Management Services (AD
RMS) must be available in your organization and contain
existing RMS templates.
- If you configure transport protection rules to protect messages
using IRM, and you also use journaling, consider enabling journal
report decryption to allow the Journaling agent to save an
unencrypted copy of the message in the journal report. To learn
more, see Journal Report
- After you create a transport protection rule, if the rule can't
be applied to messages because an AD RMS server is
unavailable, messages will be queued by the Transport service on
Mailbox servers. Depending on the volume of these messages,
additional disk space may be consumed on Mailbox servers. Exchange
will attempt to IRM-protect the message three times. After these
attempts, if the AD RMS server is unreachable or the message
can't be IRM-protected, a non-delivery report (NDR) is sent to the
- For information about keyboard shortcuts that may apply to the
procedures in this topic, see Keyboard Shortcuts in
the Exchange Admin Center.
What do you want to do?
Use the EAC to create a transport protection rule
- Navigate to Mail flow > Rules.
- In the list view, click New .
- In New Rule, first click More options, and then
complete the following fields:
- Name Type a name for the transport
- Apply this rule if Select a condition
and enter any required values for the condition. To add more
conditions, click Add condition.
Important: If you don't select any conditions when creating a transport protection rule, all messages handled by Exchange 2013 servers with the Transport service in your organization are IRM-protected. IRM-protecting all messages requires more resources. Therefore, we recommend that you plan your Mailbox server and AD RMS deployment accordingly.
- Do the following Select Apply rights
protection to the message with and then use the Select RMS
template dialog box to select a template.
- Except if (Optional) Click Add
exception to specify an exception to the rule.
- Name Type a name for the transport rule.
- Click Save to create the transport rule.
Use the Shell to create a transport protection rule
- To create a transport protection rule, you must have existing
RMS templates in your AD RMS deployment. This example
retrieves the available templates from your AD RMS
Get-RMSTemplate | format-list
- This example creates the transport protection rule
Protect-BusinessCriticalProject. The rule IRM-protects messages
that contain the phrase "Business Critical" in the Subject field
with the Do Not Forward template.
SubjectContainsWordspredicate is used in this example. You can use any combination of transport rule predicates to form the conditions and exceptions for the rule. For information about the available predicates, see Transport Rule Predicates.
New-TransportRule -Name "Protect-BusinessCriticalProject" -SubjectContainsWords "Business Critical" -ApplyRightsProtectionTemplate "Do Not Forward"
How do you know this worked?
To verify that you have successfully created a transport protection rule, do one of the following:
- Use the EAC to verify that the rule has been created, and then
click Edit to view the rule’s properties.
- Use the Get-TransportRule
cmdlet to retrieve the rule. For an example of how to retrieve a
rule, see Examples in
- Using Outlook, Outlook Web App, or a mobile device, send a test
message that meets the rule conditions and check whether the
message received by the recipient is IRM-protected.