How to Configure an Ethical Wall
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic explains how to use the Exchange Management Console or the Exchange Management Shell to configure an ethical wall on computers that have the Hub Transport server role installed.
An ethical wall is a zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive information. You can use Microsoft Exchange Server 2007 to configure ethical walls that comply with your organization's compliance policies and with regulations and laws that apply to your organization.
Before You Begin
To create a new ethical wall, you use the same procedure that you use to create a new transport rule. Transport rule actions are available on Hub Transport servers. You use these actions to prevent the transmission of messages between individual recipients or groups of recipients.
When you create a new ethical wall by a using transport rule, you can configure conditions and exceptions to control which e-mail messages the ethical wall blocks. For more information about transport rules and ethical walls, see the following topics:
To perform the following procedures, the account you use must be delegated the following:
- Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform the following procedures, be aware of the following requirements:
Transport rules should be tested in a test environment first This topic describes how to configure an ethical wall. This requires the creation or modification of transport rules. Before you modify existing transport rules or create new transport rules in your production environment, use a test environment to learn how to modify existing transport rules and test them thoroughly. The following procedures are not intended to be run in a production environment without modification to support your organization.
Messages must be routed through a Hub Transport server for transport rules to be applied For transport rules to be applied to e-mail messages, a route must exist that enables the message to enter and leave a server that applies transport rules. Also, the message must not be subject to an administrator-configured transport restriction that prevents delivery of the message. If a transport restriction prevents delivery of a message, the Transport Rules agent cannot act on that message. Also, Transport Rules agent events are logged.
An appropriate scope must be defined Ethical walls can block all messages if you don't define an appropriate scope. When you create a transport rule to enforce an ethical wall, you must specify conditions to define which recipients and senders to prohibit from sending messages to each other. If you don't specify any conditions, you must specify exceptions to narrow the scope of the transport rule. If you don't specify conditions or exceptions, the transport rule will block all messages sent to or from recipients or senders in your organization.
Using the Exchange Management Console to Create an Ethical Wall
Follow these steps in the Exchange Management Console to create an ethical wall on a Hub Transport server.
To use the Exchange Management Console to create an ethical wall on a Hub Transport server
Open the Exchange Management Console on the Hub Transport server.
In the console tree, click Organization Configuration, and then click Hub Transport.
In the result pane, click the Transport Rules tab, and then, in the action pane, click New Transport Rule… .
In the Name field, enter the name of the transport rule that will enforce the ethical wall.
If you have notes for this rule, in the Comments field, type the notes.
If you want the rule to be created in a disabled state, clear the Enabled check box. Otherwise, leave the Enabled check box selected.
Click Next.
In the Step 1. Select Condition(s) box, select all the conditions that you want to apply to this rule.
Note
The between members of distribution list and distribution list condition is well-suited for transport rules that enforce ethical walls.
If you selected conditions in the previous step, in the Step 2. Edit the rule description (click an underlined value) box, click each blue underlined word.
When you click a blue underlined word, a new window opens to prompt you for the values to apply to the condition. Select the values that you want to apply, or type the values manually. If the window requires that you manually add values to a list, type a value. Then click Add. Repeat this process until you have entered all the values, and then click OK to close the window.
Repeat the previous step for each condition that you selected. After you configure all the conditions, click Next.
In the Step 1. Select Action(s) box, click send bounce message to sender with enhanced status code. This transport rule action deletes the message and returns a non-delivery report (NDR) to the sender of the message.
In the Step 2. Edit the rule description (click an underlined value) box, follow these steps:
Click Delivery not authorized, message refused if you want to modify the default text. In the new window that appears, enter the new text to display in the Diagnostic information for administrators section of the NDR sent to the sender of the rejected message. When you are finished, click OK to close the window.
Click 5.7.1 if you want to modify which NDR is sent to the sender of the rejected message. By default, the NDR associated with the 5.7.1 delivery status notification (DSN) code is sent.
When you are finished, click OK to close the window.
Figure 1 Modified transport rule
For more information about what values are accepted and how Exchange 2007 associates a DSN code with a transport rule, see Associating a DSN Message with a Transport Rule.
For more information about these action properties, see Transport Rule Actions.
If you want to add more actions, repeat the previous step and select the transport rule actions that you want to apply. After you configure all the actions, click Next.
In the Step 1. Select Exception(s) box, select all the exceptions that you want to apply to this rule. You are not required to select any exceptions.
If you selected exceptions in the previous step, in the Step 2. Edit the rule description (click an underlined value) box, click each blue underlined word.
When you click a blue underlined word, a new window opens to prompt you to select the items that you want to add or to type the values manually. When you are finished, click OK to close the window.
Repeat the previous step for each exception that you selected. After you configure all the exceptions, click Next.
Review the Configuration Summary. If you are happy with the configuration of the new rule, click New, and then click Finish.
Using the Exchange Management Shell to Create an Ethical Wall
To use the Exchange Management Shell to create a transport rule that enforces an ethical wall, see the "Using the Exchange Management Shell to Create a Transport Rule" section in How to Create a New Transport Rule.
Controlling Which Messages Are Blocked by the Ethical Wall
The following procedure shows how to control how an ethical wall is applied. In this example, the BetweenMemberof
transport rule predicate is used to prohibit the members of the Sales Group distribution group and the Brokerage Group distribution group from communicating with each other. The BetweenMemberOf
transport rule predicate is well-suited for transport rules that enforce ethical walls. For more information about transport rule predicates, see Transport Rule Predicates.
To use the Exchange Management Shell to configure the BetweenMemberOf transport rule predicate
Run the following commands:
$Condition = Get-TransportRulePredicate BetweenMemberOf $Condition.Addresses = @((Get-DistributionGroup "Brokerage Group")) $Condition.Addresses2 = @((Get-DistributionGroup "Sales Group"))
Configuring the Ethical Wall Action
The RejectMessage
transport rule action is used to block messages sent to a prohibited recipient. When the RejectMessage
transport rule action is applied to a message, an NDR is returned to the sender of the message, and the message itself is deleted. You can configure the user information text and the DSN code and message that are displayed in the administrator section of the NDR.
To use the Exchange Management Shell to select the RejectMessage transport rule action
Run the following command:
$Action = Get-TransportRuleAction RejectMessage
You can modify the text that is displayed to the sender in the Diagnostic information for administrators section of the NDR. This text can provide helpful information to enable the administrator to understand why the message was rejected.
To use the Exchange Management Shell to configure the "Diagnostic information for administrators" text that appears in the NDR
Run the following command:
$Action.RejectReason = "Sample reject reason"
You can also modify the DSN code and message that appears in the user information section of the NDR by specifying a custom DSN code. A custom DSN code is associated with a custom DSN message. It is useful to specify this code so that you can refer the user to an HTML link to a specific policy or regulation. By default, the NDR associated with the 5.7.1 DSN code is sent.
For example, if you create a new ethical wall and want to refer users to a specific policy if their message is rejected, you can specify a new, unused, custom DSN code in the EnhancedStatusCode property. After you specify a new custom DSN code, you must then use the New-SystemMessage cmdlet to create the DSN code and specify the text that should be displayed when that DSN code is referenced.
For more information about what values are accepted and how Exchange 2007 associates a DSN code with a transport rule, see Associating a DSN Message with a Transport Rule.
To use the Exchange Management Shell to configure the user information text in an NDR by specifying a custom DSN code
Run the following command:
$Action.EnhancedStatusCode = "5.7.228"
For more information about these action properties, see Transport Rule Actions.
Creating the New Ethical Wall Transport Rule
After you configure the conditions, exceptions, and actions, create the new transport rule that enforces the ethical wall.
To use the Exchange Management Shell to create a new transport rule that enforces the ethical wall
Run the following command:
New-TransportRule -Name "Sample Ethical Wall Transport Rule" -Condition @($Condition) -Action @($Action)
Configuring a Transport Rule that Enforces an Ethical Wall
The following example shows how to apply a transport rule that enforces an ethical wall that blocks messages sent between members of the Sales Group distribution group and Brokerage Group distribution group. An exception allows messages to be sent only if the sender is a member of the Executives Group distribution group.
Note
This hypothetical ethical wall uses a customized DSN code and message. The New-SystemMessage command in this example creates the customized DSN code and message. For more information, see Associating a DSN Message with a Transport Rule.
To use the Exchange Management Shell to configure the transport rule that enforces the ethical wall
Run the following commands:
$Condition = Get-TransportRulePredicate BetweenMemberOf $Condition.Addresses = @((Get-DistributionGroup "Sales Group")) $Condition.Addresses2 = @((Get-DistributionGroup "Brokerage Group")) $Exception = Get-TransportRulePredicate FromMemberOf $Exception.Addresses = @((Get-DistributionGroup "Executives Group")) $Action = Get-TransportRuleAction RejectMessage $Action.RejectReason = "Messages sent between members of the Sales Group and the Brokerage Group are prohibited." $Action.EnhancedStatusCode = "5.7.228" New-SystemMessage -DsnCode 5.7.228 -Internal $True -Language En -Text "A message was sent that violates company policy #123. For more information, please contact the Compliance department." New-TransportRule "Sales-Brokerage Ethical Wall" -Condition @($Condition) -Exception @($Exception) -Action @($Action)
For More Information
For detailed syntax and parameter information about each command, see the following topics:
For more information about transport rules, see the following topics: