Configure an Ethical Wall
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
An ethical wall is a zone of non-communication between distinct departments of a business or organization that is established to prevent conflicts of interest that might result in the inappropriate release of sensitive information. You can use Microsoft Exchange Server 2010 to configure ethical walls that comply with your organization's compliance policies and with regulations and laws that apply to your organization. For more information about ethical walls, see Understanding Ethical Walls.
To create an ethical wall, use the same procedure that you use to create a transport rule. When you implement an ethical wall by creating a transport rule, you can configure conditions and exceptions to control which e-mail messages the ethical wall blocks.
Warning
Before you create or modify transport rules in your production environment, we recommend that you use a test environment to understand how transport rules work. Test all rules before you create them in a production environment.
Ethical walls block all messages if you don't define an appropriate scope. When you create a transport rule to enforce an ethical wall, you must specify conditions to define which recipients and senders are prohibited from sending messages to each other. If you don't specify any conditions, you must specify exceptions to narrow the scope of the transport rule. If you don't specify conditions or exceptions, the transport rule blocks all messages sent to or from recipients and senders in your organization.
Prerequisites
Although you are not required to use an Exchange 2010 Hub Transport server, you must route e-mail messages through an Exchange 2010 Hub Transport server to apply transport rules to the messages.
Use the EMC to create an ethical wall
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.
In the console tree, navigate to Organization Configuration > Hub Transport.
In the action pane, click New Transport Rule.
On the Introduction page, complete the following fields:
Name Enter a name for the transport rule.
Comment [optional] Type any notes for the rule.
Enable Rule If you want the rule to be created in a disabled state, clear this check box.
On the Conditions page, complete the following steps:
In the Step 1. Select condition(s) box, select all the conditions that you want to apply to this rule.
Note
The between members of distribution list and distribution list condition is well suited for transport rules that enforce ethical walls.
If you selected conditions in the previous step, click each blue underlined word in the Step 2. Edit the rule description by clicking an underlined value box.
Note
When you click a blue underlined word, you are prompted for the values to apply to the condition. Select the values that you want to apply, or type the values manually. If the prompt window requires that you manually add values to a list, enter a value, and then click Add. Repeat this process until you have entered all the values, and then click OK to close the window.
Repeat the previous step for each condition that you selected. After you configure all the conditions, click Next.
On the Actions page, complete the following steps:
In the Step 1. Select actions box, click send rejection message to sender with enhanced status code. This transport rule action deletes the message and returns a non-delivery report (NDR) to the sender of the message.
In the Step 2. Edit the rule description by clicking an underlined value box, follow these steps:
Click rejection message.
In the Specify rejection message dialog box, enter the text to display in the Diagnostic information for administrators section of the NDR that's sent to the sender of the rejected message. When you're finished, click OK.
Click enhanced status code.
In the Specify Enhanced Status Code dialog box, enter the delivery status notification (DSN) code you want to display in the Diagnostic information for administrators section of the NDR that's sent to the sender of the rejected message. Valid enhanced status code values are
5.7.1
and any value from5.7.10
through5.7.999
. When you're finished, click OK.Note
For more information about how Exchange 2010 associates a DSN code with a transport rule, see Associate a DSN Message with a Transport Rule.
Modified transport rule
If you want to add more actions, repeat the previous step, and select the transport rule actions that you want to apply. After you configure all the actions, click Next.
On the Exceptions page, complete the following optional steps:
In the Step 1. Select exceptions if necessary box, select all the exceptions that you want to apply to this rule. You aren't required to select any exceptions.
If you selected exceptions, in the Step 2. Edit the rule description by clicking an underlined value box, click each blue underlined word.
Note
When you click a blue underlined word, you are prompted to select the items that you want to add or to type the values manually. When you're finished, click OK to close the window.Repeat the previous step for each exception that you selected.
After you configure all the exceptions, click Next.
On the Create Rule page, review the Configuration Summary. If you're satisfied with the configuration of the new rule, click New, and then click Finish.
Use the Shell to create an ethical wall
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Transport rules" entry in the Messaging Policy and Compliance Permissions topic.
In this example, Woodgrove Bank wants to prevent members of its Brokerage group and the Sales group from communicating. The bank decides to implement an ethical wall between the two groups by using a transport rule.
Predicate The BetweenMemberOf
transport rule predicate is used to prohibit the members of the Brokerage Group distribution group and the Sales Group distribution group from communicating with each other. The BetweenMemberOf
transport rule predicate is well suited for transport rules that enforce ethical walls. For more information about transport rule predicates, see Transport Rule Predicates.
Exception Woodgrove Bank wants to create an exception to this policy that allows members of the Executive Group distribution group to communicate with one other. Members may belong to either of the two groups,. The ExceptIfFromMemberOf
predicate is used to implement this exception.
Action The RejectMessage
transport rule action is used to block messages that are sent to a prohibited recipient. When the RejectMessage
transport rule action is applied to a message, an NDR is returned to the sender of the message, and the message itself is deleted. You can configure the user information text and the DSN code and message that are displayed in the administrator section of the NDR.
You can modify the text that's displayed to the sender in the Diagnostic information for administrators section of the NDR. This text can provide helpful information to enable the administrator to understand why the message was rejected.
DSN Codes By default, the RejectMessage
transport rule action uses the enhanced status code 5.7.1
. You can modify the DSN code returned by specifying a custom DSN code. A custom DSN code must be associated with a custom DSN message. The DSN message appears in the user information section of the NDR. You can specify a custom DSN code to be able to provide the sender more detailed information. You can also refer the sender to an internal or public Web page that contains more information about the specific policy or regulation.
The following example specifies a new, unused, custom DSN code in the RejectMessageEnhancedStatusCode property.
New-TransportRule "Sample Ethical Wall" -Enabled $true -BetweenMemberOf1 BrokerageGroup@woodgrovebank.com -BetweenMemberOf2 SalesGroup@woodgrovebank.com -ExceptIfFromMemberOf ExecutivesGroup@woodgrovebank.com -RejectMessageReasonText "Sample Rejection Message" -RejectMessageEnhancedStatusCode '5.7.228'
This example then creates the custom DSN code and specifies the text that should be displayed when a message is returned with that DSN code.
New-SystemMessage -DsnCode 5.7.228 -Internal $true -Language En -Text "A message was sent that violates company policy #123. For more information, please contact the Compliance department."
For more information about which values are accepted and about how Exchange 2010 associates a DSN code with a transport rule, see Associate a DSN Message with a Transport Rule.
For detailed syntax and parameter information, see New-TransportRule and New-SystemMessage.
© 2010 Microsoft Corporation. All rights reserved.