Export (0) Print
Expand All

Service upgrade changes for policy rules

Exchange 2013

Applies to: Exchange Online Protection

Topic Last Modified: 2014-03-03

When your organization is upgraded from Microsoft Forefront Online Protection for Exchange (FOPE) to Microsoft Exchange Online Protection (EOP), policy migration happens after your domain settings and users are migrated. When your policy migration occurs, FOPE policy rules are changed to Exchange Transport rules.

There are differences to note between FOPE policy rules and Exchange Transport rules. Knowing these feature differences and best practices for creating Exchange Transport rules can help you create the most effective rules.

For more information about configuring custom policy filtering in EOP via Transport rules, see Transport rules.

The following outlines some conditions that can appear during rule migration, depending on your rule configuration, and the action we take to ensure successful migration.

  • Rule Count   You can create up to 100 Exchange Transport rules to implement business-rule compliance.

    If you currently have more than 100 FOPE policy rules, the FOPE to EOP transition includes automatic rule consolidation which will result in fewer than 100 Transport rules. If the automatic migration of the rule settings is unable to fit within the EOP limits, we will reach out to help you manually modify your rules to bring them within compliance for EOP.

  • Pattern Matching and Regular Expressions   FOPE provided basic regular-expression (Regex) support for policy-rule pattern matching. EOP uses the .NET regular-expression engine.

  • Maximum Pattern-Match Length   Transport Rules support up to 20KB of characters for all RegEx pattern and keyword matches. (This limit does not impact recipient and domain match conditions.)

  • Dictionary Support   Rule criteria must be entered directly. Uploading contents from a Dictionary file is only supported via Windows PowerShell (Exchange Online or Exchange Enterprise CAL with Services customers only).

  • Case-Insensitive Matching   Exchange Transport rules use case-insensitive matching.

  • Subject and Body Matching   Transport rules support match conditions within the subject and body of the message.

  • Max Rule Size   FOPE Policy rules that exceed the max rule size limit in Exchange are divided into multiple rules. These rules appear in the Exchange admin center user interface under mail flow as: “Divided FOPE Policy Rule ID###”

  • Duplicate Filtering Requirements   FOPE Policy rules that apply the same filtering requirements are consolidated into a single Transport rule. These rules appear in the Exchange admin center user interface under mail flow as: “Consolidated FOPE Policy rule (n)”. The rule comments and migration report includes the affected FOPE Policy rule IDs.

  • HeaderName with NULL Value   FOPE policy rules support matching a HeaderName against any HeaderValue, including a NULL value. Exchange Transport rules support matching a HeaderName against any HeaderValue, excluding a NULL value. After migration, these rules will only be matched if the HeaderValue is assigned a value; a NULL value is not supported.

  • Recipient Notifications for Reject Rules   Exchange Transport rules do not support recipient notifications for Reject rules. During transition, rules with a Reject action and recipient notifications enabled are converted to rules without recipient notifications.

The following list details items to note regarding policy rules in FOPE that are migrated to the Exchange admin center:

  • All FOPE domains configured with Policy Filtering set to inbound only are added to a Transport rule in the Exchange admin center called “Domains excluded from outbound Exchange Transport Rules.”

  • All FOPE domains configured with Policy Filtering set to disabled are added to two Transport rules. The first is called “Domains excluded from outbound Exchange Transport Rules” and the other is called “Domains excluded from inbound Exchange Transport Rules.”

  • FOPE Policy rules are not migrated to Transport rules if they are disabled, expired, or associated with a disabled domain.

  • FOPE Policy rules that are configured to match the recipient addresses for a user within your organization will be matched against all email addresses configured for the user.

  • If you route email sent within your organization through FOPE, policy rules that are configured to filter outbound email will no longer apply to email sent within your organization after migrating to EOP. Only FOPE policy rules that are configured to filter inbound email will apply to email sent within your organization.

  • When a migrated policy rule is listed as version 14, this just means that the rule is based off an Exchange Server 2010 Transport rule format, and is not a cause for alarm. All Exchange Transport rule options will be available for you to choose from.

Conditions in FOPE translate to Exchange Transport rule predicates, and actions in FOPE translate to Transport rule actions. For more information about predicates and actions in EOP, see Transport rule conditions (predicates) and Transport rule actions.

Some ideas for cutting down on the number of rules you have include the following:

  • Removing rules you created for a specific one-day spam event.

  • Remove little-used rules and rules that are rarely triggered. If it has been a short duration since your migration, you may be able to access the FOPE Admin Center and run a policy-filtering report to determine rule-use metrics. For more information about signing in to the FOPE Admin Center, see Sign in to the FOPE Admin Center after your service upgrade.

  • If you have a rule with many keywords, use a regular-expression pattern to search for similar terms.

The following are additional tips to help you choose rules to consolidate:

  • You may be able to combine rules with similar conditions, or multiple conditions, and rules that perform the same action.

  • FOPE rules were either inbound or outbound. In Exchange Transport rules, this is optional. Configure each rule to apply to both inbound and outbound messages, if possible.

  • If you have rules specific to individual domains, consider creating a company-wide rule and removing domain-specific rules.

  • If you had a FOPE policy rule with a dictionary, in EOP the dictionary is converted to a flat list. If you have rules that in FOPE shared a dictionary, consider consolidating those rules to reduce your rule count, or use a regular expression to optimize your search. Also, trim terms not needed to reduce the rule size.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft