Message Classification
Message
classification applies a designation that helps guide the intended
usage of the information contained in the email. This differs from
Rights Management Services (RMS), which enforces the restrictions. An
example of a classification is the built in Attorney/Client Privileged
(A/C) classification shown in Figure 1.
On selecting the A/C Privileged classification, recipients would see
the informational header advising them of the message class.
The
classification is retained by the email until it leaves the
organization. This applies even if the message is forwarded to a third
party within the organization.
Although
classification is informational by default, transport rules can be
created that control and enforce the classification. For example, a
transport rule could be created that would prevent a message with the
A/C designation from being sent external to the company.
Message
classification requires Outlook 2007 or Exchange 2007 OWA. This feature
needs to be enabled in Outlook 2007 by changing the Registry,
generating a classifications definition file on the Exchange 2007
server, and finally copying the file to each client.
First, modify the Registry by adding a key and three values. The key and values to create are as follows:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Policy]
"AdminClassificationPath"="c:\\Class\Classifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001
This needs to be done on each client.
Caution
Incorrectly
editing the Registry can cause serious problems that might require you
to reinstall your operating system. Problems resulting from editing the
Registry incorrectly might not be able to be resolved. Before editing
the Registry, back up any valuable data.
Next, create a directory c:\class\
on the Exchange server to receive the XML file with the classification
definition. The following command generates the XML file referenced in
the Registry value. This needs to be run in the Exchange Management
Shell and the directory needs to be changed to c:\program files\microsoft\exchange server\scripts\ before running the command:
"ExACPrivileged"|Get-MessageClassification | ./Export-OutlookClassification.msh >
c:\Class\Classifications.xml
Finally, copy the resulting Classifications.XML file to each of the clients. After launching Outlook 2007, the classifications will be available.
Interestingly,
the classifications come preenabled in Outlook Web Access without
having to go through the gyrations needed for Outlook 2007.
The message classifications can be modified and extended using the Set-MessageClassification and the New-MessageClassification cmdlets in the Exchange Management Shell. There are no message classification options in the Exchange Management Console.
Rights Management and the Hub Transport Server
The
Hub Transport server has an agent, the AD RMS Prelicensing agent, which
facilitates the use of RMS in Exchange 2007. It essentially acquires an
RMS license before delivering the email to the user’s desktop. This
allows the user to open the email while disconnected or open messages
sent across forest boundaries. It also provides access to
rights-protected email through Outlook Anywhere or Outlook Web Access.
The agent is not enabled by default. The high-level steps to configure the AD RMS Prelicensing agent are as follows:
1. | Install the RMS Client with SP2 on the Hub Transport server.
|
2. | Register the Rightsmanagementwrapper.dll in the Exchange Management Shell.
|
3. | Enable the agent in the Exchange Management Shell using the command Enable-TransportAgent "AD RMS Prelicensing Agent".
|
4. | Restart the MSExchangeTransport service.
|
Proper
authentication and access control configurations are required to enable
the AD RMS Prelicensing agent running as a network service to access
the precertified URL found in the Active Directory of the other forest.
In
addition, it is a requirement that the RMS server clusters are upgraded
to Microsoft Windows Rights Management Services (RMS) Service Pack 2
and the RMS Client on the Hub Transport server be upgraded to RMS
Client with SP2 Beta – x64.
Prioritization of Agents
Each
of the agents in the Hub Transport server has a different priority and
trigger events, although the latter overlap in some respects.
Understanding these helps determine the net effect of the agents’
activities in complex situations.
The hub transport agents’ priority and trigger events are listed in Table 3.
Table 3. Hub Transport Agents Priority and Triggers
| Agent Name | Priority | SMTP Trigger Events |
|---|
| Transport rule agent | 1 | OnRoutedMessage |
| Journaling agent | 2 | OnSubmittedMessage, OnRoutedMessage |
| AD RMS Prelicensing agent | 4 | OnRoutedMessage |
For
example, assume an organization was journaling and adding disclaimers
to outbound messages. Based on the priority of the agents in the table,
the messages should be journaled with the disclaimer text appended to
them.
This is because the disclaimers are
implemented by the transport rule agent, which has a higher priority
than the journaling agent. Thus, the disclaimer rule is applied prior
to the journaling rule. A quick inspection of the journal report and
its attached message confirms this.
Note
Transport
agents have full access to all emails that travel through the Hub
Transport server, which can impact the security and stability of the
message flow.
