Problem solve Get help with specific problems with your technologies, process and projects.

Creating an ethical firewall in Exchange Server 2007

Learn how you can use an Exchange Server 2007 ethical firewall to prohibit certain employees or departments from communicating with each other via email.

Publicly traded companies and government agencies sometimes prohibit certain employees or departments from communicating with each other -- either because of federal regulations or to avoid any perception of impropriety, corruption or bias. An Exchange Server 2007 ethical firewall allows you to set up restrictions on specific employees' email communications to help prevent such issues.

Ethical firewall exception rules

If blocking all communications between certain employees seems too severe, you do have the option of creating exception rules. For example, you could create an Exchange Server 2007 ethical firewall that allows User1 to send email to User2 unless a specified word appeared in the email's subject line.

Of course, users could potentially misuse the exception rules to pass sensitive or unauthorized information. If this is a concern, just don't build any exceptions into your Exchange Server 2007 ethical firewall.

Another consideration for exception rules is that you will have to take the time to explain them to the users they apply to. This means that the users will know exactly how to circumvent the ethical firewall.

However, it also means that they are not going to pass sensitive information through the firewall accidentally. If a user circumvents an ethical firewall by using an exception rule, they will have knowingly violated a corporate policy, and the company should have no problems terminating that employee over the incident.

Disclaimer: At the time I wrote this tip, both Exchange Server 2007 and Microsoft Outlook 2007 were both in public beta testing. The procedures below could potentially change by the time the official versions are released.

Creating an ethical firewall in Exchange Server 2007

For the instructions below I'm going to refer to my earlier example scenario. I will pretend that two users, User1 and User2, must be prohibited from sending work-related email to each other due to the sensitive nature of their jobs.

To make things a bit more interesting, I will also walk you through the process of setting up an exception rule, so that User1 and User2 can send emails to each other if the words "Emergency" or "Social" appear in an email's subject line.

  1. The first step in creating an ethical firewall is creating a set of new global hub transport rules. As such, you must have the Hub Transport server role installed. To begin, open the Exchange 2007 Exchange Management Console and navigate to Organization Configuration -> Hub Transport.

  2. With the Hub Transport object selected, click the New Transport Rule link found in the Actions pane to launch the New Transport Rule Wizard.

  3. Enter a name for the rule and a comment, as shown in Figure 1. In this case, you might call it FIREWALL USER1-USER2. The Comment field allows you to enter additional descriptive information regarding the rule's purpose.

    Figure 1
    Figure 1: Enter a descriptive name and comment for the new transport rule.

  4. Click Next and you will see the Conditions screen, which contains a series of checkboxes you can select to build various types of rules.

  5. Select the "From People," and "Sent to People" checkboxes. The bottom half of the screen will change to reflect the checkboxes you've selected.

  6. The bottom half of the screen should state: "Apply rule to messages from people and sent to people." You'll notice that in both the "from" and "sent to" sections, the word "people" is hyperlinked. Click on these "people" links to select specific users.

    If you look at Figure 2, you'll see that in the lower section of the screen, I have configured the rule so that it applies to messages from User1 and sent to User2.

    Figure 2
    Figure 2: You must select the users to whom you want the rule to apply.

  7. Click Next to move to the Actions screen, which allows you to control what happens if User1 tries to send a message to User2. Like the Conditions screen, the Actions screen contains a series of checkboxes you can use to enable various actions. You can then customize the actions by clicking on the links within them.

  8. For the purpose of our example scenario, select the "Send Bounce Message to Sender with Enhanced Status Code" checkbox. In this particular case, we are going to be nice and simply bounce the message back to User1 along with a message telling User1 that he or she is not allowed to send messages to User2.

    If you look at Figure 3, you can see that you have a lot of other options as well. For example, you could pass a copy of the message on to User1's manager.

  9. When you select the "Send Bounce Message to Sender with Enhanced Status Code," the bottom of the rule will be configured to send a default message to User1 stating, "Delivery not authorized, message refused." If you want to customize this message, click on it and change the text to say what you wish -- e.g., "Due to regulatory issues, you are not authorized to send messages to User2."

    Figure 3
    Figure 3: User1 gets a "Delivery Not Authorized" message if they send email to User2.

  10. Click Next to go to the Exceptions screen. We are now going to build a couple of exceptions into our rule so that User1 can send messages to User2 if the word "Social" or "Emergency" appears in the subject line.

  11. Select the "Except When the Text Specific Words Appear in the Subject" checkbox. The phrase, "except when the text specific words appears in the subject" will appear in the rule description box at the bottom of the screen.

  12. Click the "Specific Words" link, add the words "Emergency" and "Social" to the word list, and click OK. The Exceptions screen should now look something akin to Figure 4.

    Figure 4
    Figure 4: User1 can send messages to User2 if the words "Emergency" or "Social" appear in the subject line.

  13. Click Next and you will see the wizard's Create Rule screen. This screen provides you with a configuration summary of the rule you just set up. Assuming everything looks good, click the New button and the rule will be created.

    If you look at Figure 5, you'll see a large block of text that appears just below the Firewall User1-User2 bar. This block of text is the actual command you would type if you wanted to create this same rule from the command prompt. If you have several additional roles to create that are similar to the one we just finished, you could use this information to build a script that would create the remaining rules for you.

    Figure 5
    Figure 5: The wizard provides a command you can use to create rules from the command prompt.

  14. Click Finish to close the wizard. The new rule will now appear on the Transport Rules tab of the Hub Transport container, as shown in Figure 6. You can use the commands shown in the Actions pane to modify or delete the rule, or to create additional rules.

    Figure 6
    Figure 6: The new rule appears on the Transport Rules tab of the Hub Transport container.

  15. To keep User2 from sending email messages to User1, repeat steps 1 through 14 with the names reversed.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at

Do you have comments on this tip? Let us know.

Related information from

  • Tip: Preparing for Exchange Server 2007
  • Step-by-Step Guide: Test driving Exchange Server 2007
  • Tip: Establishing mailbox audit trails on Exchange Server
  • Expert Advice: Limit delivery of messages to one distribution group in Exchange 2003
  • 15 tips in 15 minutes: Managing Exchange Server recipients and distribution lists
  • Reference Center: Exchange Server 2007 news, tips and resources
  • Reference Center: Tips and resources on Exchange Server permissions

    Please let others know how useful this tip was via the rating scale below. Do you have a useful Exchange Server or Microsoft Outlook tip, timesaver or workaround to share? Submit it to If we publish it, we'll send you a nifty thank-you gift.

  • Dig Deeper on Legacy Exchange Server versions

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.