locked
E-mail policy reapplied every 1-2 minutes - Error 31506 Microsoft Forefront TMG Control

    Întrebare

  • I'm running Exchange 2010 with only the Edge Transport-role on a Windows 2008 R2-server with Forefront TMG and Forefront Protection Manager for Exchange. I have an error message in application log every 1-2 minutes:

    Log Name:      Application
    Source:        Microsoft Forefront TMG Control
    Date:          25.12.2009 21:05:28
    Event ID:      31506
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      TMG.ad.artax.cz
    Description:
    Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration on server 'TMG'.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft Forefront TMG Control" />
        <EventID Qualifiers="32768">31506</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-12-25T20:05:28.000000000Z" />
        <EventRecordID>8101</EventRecordID>
        <Channel>Application</Channel>
        <Computer>TMG.ad.artax.cz</Computer>
        <Security />
      </System>
      <EventData>
        <Data>TMG</Data>
      </EventData>
    </Event>

    I am not changing anything. No error on Exchange server (Hub Transport) and everything seems to be working.

    Could you help, please?

    Best regards

    Martin
    26 decembrie 2009 17:24

Răspunsuri

Toate mesajele

  • Hi, I'm having the same problem.
    It looks like I can't set up the TMG e-mail policy since it is getting overwritten all the time. We can send e-mail but can't receive. I'm really lost (and embarrassed) after trying for two weeks.

    Exchange installation is not exactly our core activity. We have been running our own Exchange servers because mailbox access and other messaging operations have been essential in several of our software products. We also run our company mailboxes from this installation. I decided that we could risk the upgrade for TMG in a low-activity period, without first setting up a lab network. Now I truly regret...

    Soon heading for to another solution, I'd like to see if anybody could make anything out of a case like this (please bear with me; I'll try to make it short):

    We used to have one Exchange 2007 box and a single ISA2006 at the edge. All was nice. Then the network got replaced by a number of new Windows 2008 servers, and for some reasons we decided to keep it clean Win2008. So the ISA server had to go, replaced by a few separate edge servers while waiting for the Win2008 ready TMG. Later, all servers were upgraded to Win2008 R2, we set up a plain Exchange 2010 box set up with CAS/HUB/mailbox roles, and a plain edge server with Exchange 2010 edge role. Ok so far, but I couldn't make the web/mobile client access work this time.

    A few weeks ago the Forefront Trust Management Gateway was RTM, and the TMG's integrated support for the Exchange edge installation was almost too good to be true. I saw the opportunity to more easily control the web/mobile client access, and at the same time free up a couple of servers. We already had a third party EV SSL SAN certificate for TMG and Exchange. Longing back to ISA server I found the TMG to be a great product! At least while setting up access rules, web publishing and similar.

    By now mailboxes had been moved to the Exchange 2010 box, and the 2007 box had been properly uninstalled. I removed the subscription for the first Exchange 2010 edge server, and subscribed to the TMG box which had been installed plainly with Exchange 2010 edge role, Forefront 2010 for Exchange and TMG, in that order.

    At first we could receive e-mail but not send. After checking certificate installations, re-subscribing, repairing installations, and reading all I could find on the subject, it looked the like (according to some postings) the installation order somehow had been messed up after all. Removing and reinstalling all on the TMG (following notes/screenshots) simply made the sending of e-mail work instead of receiving.

    The TMG server is a member server. This is the only thing I can think of not being straight from the recommendations. (We would of course prefer a separate dmz/edge domain with a one-way trust, and will consider that for later)
    From what I have been reading the TMG can be joined to the internal domain, while it is recommended that a separate Exchange edge server is stand-alone or in a DMZ network. And the Exchange edge is recommended on the TMG. From this I make out that our setup is ok as long as we accept the security issue of exposing the Active Directory to an edge computer (for now).
    Well, anybody know otherwise?
    Any help would be very much appreciated.

    28 decembrie 2009 20:04
  • Hi Olav,

    I had the problem with incoming e-mail too. It was caused by stopped service "Microsoft Forefront TMG Managed Control". Just try to start it and look at "nestat -na -p TCP" there should be an open port 25 on some of the interfaces. Without the IsaManagedCtrl service started there is no SMTP port open.

    Best regards

    Martin
    29 decembrie 2009 07:11
  • Hi Martin,

    Yes, I manually started the IsaManagedCtrl serrvice for a while until I finally had the service startup setting "Automatic (delayed start)" working. Or maybe I solved that one after a certificate configuration change. Still no incoming mail and error 31506 keeps repeating while an edge subscription is active.

    At some points I probably did not have the correct certificate setup. I've been searching and frankly I'm still not sure what is expected from Exchange/TMG. Right now I'm running like this:
    - Edge: The TMG/Exchange edge server has 3rd party EV SSL SAN cert for IIS/Exchange use (covering mail. owa. and autodiscover.).
    - Hub: The Exchange hub/cas/mailbox server has a cert with CN computername.domainname.rootdomain from our enterprise CA.

    The 3rd party cert is added to the web listenerer of the TMG. Running Get-ExchangeCertificate on each server returns no other certificates. The edge server has SMTP set with Enable-ExchangeCertificate, and the hub has likewise enabled SMTP, IMAP, POP and IIS.
    While trying some shots in the dark I deleted the self-issued cert once created by the Exchange Edge installation, but re-creating, or adding a cert from the enterprise CA did not help.

    I get errors while trying to see the properties of the two Receive Connectors from the EMC on the edge:

    - The operation couldn't be pererformed because object '<EdgeServerName>\External_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers''.

    - The operation couldn't be pererformed because object '<EdgeServerName>\Internal_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers''.

    Then, from the shell all loos ok as far as I can see:

    [PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers'

    Identity                   Bindings            Enabled
    --------                   --------            -------
    Helm\External_Mail_Servers {85.196.xxx.xxx:25} True


    [PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers'

    Identity                   Bindings                            Enabled
    --------                   --------                            -------
    Helm\Internal_Mail_Servers {192.168.xxx.xxx:25, 85.196.xxx.xxx:25} True


    I'm not sure if this has anything to do with the lost mail.
    Otherwise it looks like settings keep in sync now.

    Logging in TMG filtered by SMPT and LDAP (Edge) and LDAPS (Edge) always return two entries while sending an e-mail to the organization:

    - Initiated Connection <EdgeServerName> 29.12.2009 19:26:44
    Log type: Firewall service
    Status: The operation completed successfully. 
    Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
    Source: External (213.158.233.150:57511)
    Destination: Local Host (85.196.xxx.xxx:25)
    Protocol: SMTP
     Additional information
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 213.158.233.150

    - Closed Connection <EdgeServerName> 29.12.2009 19:26:49
    Log type: Firewall service
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake. 
    Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
    Source: External (213.158.233.150:57511)
    Destination: Local Host (85.196.xxx.xxx:25)
    Protocol: SMTP
     Additional information
    Number of bytes sent: 2054 Number of bytes received: 467
    Processing time: 5414ms Original Client IP: 213.158.233.150


    Later, this one repeat (like error 31506), trying from hub to edge:

    - Denied Connection <EdgeServerName> 29.12.2009 19:34:04
    Log type: Firewall service
    Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer. 
    Rule: None - see Result Code
    Source: Internal (192.168.xxxx.xxx:11936)
    Destination: Local Host (192.168.yyy.yyy:50636)
    Protocol: LDAPS(EdgeSync)
     Additional information
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 192.168.xxx.xxx


    Any ideas?
    Thanks.

    -olav

    29 decembrie 2009 18:42
  • Hi Martin,

    have you found a reason why is event id 31506 from Microsoft Forefront TMG Control source reappearing in application log every 1-2 minutes? I've got the same error in application log followed with TMG alert/warning E-mail Policy - Configuration Reapplied and it's getting really annoying.

    Thanks,
    Dawid
    29 decembrie 2009 23:44
  • Hi DawidGK,

    no, no solution up to now :-(

    And I have found one more probelm. After restart the Microsoft Forefront TMG Control service stays off and I have to start it manual :-(

    Best regards

    Martin
    30 decembrie 2009 11:28
  • "And I have found one more probelm. After restart the Microsoft Forefront TMG Control service stays off and I have to start it manual"

    Hi Martin,

    Try setting the service IsaManagedCtrl ("Microsoft Forefront TMG Managed Control", not to be confused with "Microsoft Forefront TMG Managed Control") to startup type "Automatic (Delayed start)". No other Exchange/TMG services to delayed start. That worked for me so I don't have to start manualy. I even tested setting back to regular automatic, and it fails again.

    But the annoying 31506 error keeps logging.
    This time I can't find anything missing in the e-mail policy configuration that was meant to be applied to the edge server.
    So I guess it means nothing in my case after all, and I have to find other ways to get incoming mail past the edge.
    30 decembrie 2009 13:07
  • Solved my problem, but the 31506 error continues. Will disregard.
    30 decembrie 2009 21:57
  • I am not sure, if you can simply ignore the problem. I am afraid it resets active connections :-(
    4 ianuarie 2010 13:33
  • I'm pretty sure also this error isn't as trivial as it seems, but I haven't found a solution yet. Looks like nobody (except us) on the net experiencing this behavior. It's crowding application log and getting really annoying! Kiwisek, just hoping your worries are incorrect.
    Maybe somebody from Microsoft could contribute. Please, HELP!

    Dawid
    4 ianuarie 2010 17:59
  • Hi Nick,

    please unmark Olav's answer, my proposal was accidental. His solved problem was completely unrelated to Kiwisek's (and mine) problem, which is still an uresolved isuue. Maybe there is somebody who can help.

    Thanks,
    Dawid

    6 ianuarie 2010 16:41
  • Hi, I'm having the same problem.
    6 ianuarie 2010 18:04
  • Can't say I notice any malfunction, but the 31506 error continues to fill up logs.

    I should probably also mention that I have this error message alternating with eight identical info messages:

    ---------------------------------------
    Log Name:      Application
    Source:        MSExchangeTransport
    Date:          06.01.2010 21:45:02
    Event ID:      16022
    Task Category: Configuration
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      xx
    Description:
    A configuration update for Microsoft.Exchange.Transport.ReceiveConnectorConfiguration has successfully completed.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="MSExchangeTransport" />
        <EventID Qualifiers="16388">16022</EventID>
        <Level>4</Level>
        <Task>16</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-01-06T20:45:02.000000000Z" />
        <EventRecordID>125787</EventRecordID>
        <Channel>Application</Channel>
        <Computer>xx</Computer>
        <Security />
      </System>
      <EventData>
        <Data>Microsoft.Exchange.Transport.ReceiveConnectorConfiguration</Data>
      </EventData>
    </Event>
    ---------------------------------------

    I guess Exchange actually tries to apply some obscure changes, but is correctly dismissed. Of course, I'm not sure.

    I'll be watching this tread, hopefully the TMG team shows up!

    -olav
    6 ianuarie 2010 21:11
  • I think the error is serious problem. I have reproduced the same situation in VMWare :-( using clean install of all servers. I will not switch any production servers to Exchange 2010 and Forefront TMG without clear solution.
    7 ianuarie 2010 08:13
  • Have some problem, and can`t find solution 3 mount.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    17 ianuarie 2010 20:58
  • Same here. Didn't find any solution. I was forced to implement TMG 2010 without Exchange Edge and Protection :(((
    I don't believe it's a rare issue or hardware specific.

    Dawid
    26 ianuarie 2010 09:30
  • Hello,

    I am having the same problem.

    Installed forefront TMG + exchange 2010 edge + FSE on 2008 domain member.
    1 Exchange 2007 and 1 exchange 2010 with MB, CAS and HUB roles.

    Same logging in eventlog :
    E-mail policy reapplied every 1-2 minutes - Error 31506 Microsoft Forefront TMG Control

    I'm able to send, but receiving mail is very unreliable : sometimes e-mails arrive immediatelly, sometimes after a long time, and sometimes not at all ( without anti-spam / anti-virus filters active yet)

    Could someone please Help.

    26 ianuarie 2010 23:05
  • I find some workaroud.
    All configuration need to do in TMG console.
    Error not desapire bot mail frow is working and spam is filtring.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    27 ianuarie 2010 06:06
  • Hi,

    Could you explain your workaround please ?

    Regards,

    Patriek.
    27 ianuarie 2010 08:05
  • I am not sure if this is workaround. I am afraid, that it can mean that SMTP communication is reset every 1-2 minutes. It will work if you have not too many and shorter e-mails. The impact will be mostly on large e-mails and with higher traffic.

    The error is easily reproducable. I have the same situation in my virtual test enviromnet and on the physical servers, so it does not look like anything rare.
    27 ianuarie 2010 08:07
  • I was experiencing the same error, although intermittently rather than all the time.  After a reboot it may go away, but then come back hours/days later.  However, its now got worse - the Forefront TMG Managed Control Service fails to apply the email configuration and then stops.  I can't get the service to start at all.



    TMG with Exchange 2010 seems to be very problematic.  I had TMG running for weeks on another server with out Exchange 2010 and it worked flawlessly.




    27 ianuarie 2010 13:01
  • Guys, 

    I've just fixed my service not starting problem as above and noticed that IP addresses keep getting added to the Exchange IP blocklist.  However, they only appear in the list for a few minutes, not the full 24 hours.  My theory at the moment is that TMG detects the entry in the block list, reapplies the configuration, hence the event log messages, and in doing so clears the block list.


    27 ianuarie 2010 14:57
  • More details:

    On my server the "Sender Reputation" feature is enabled with the Threshold set to 0.  The block action is to add the IP to the block list for 24 hours.

    Obviously with the threshold set to 0, default it 7, lots of IPs get added to the IP block list.  When the TMG Managed Control service detects that IPs have been added to the list the email policy is reapplied to remove the IPs from the list.

    27 ianuarie 2010 15:22
  • Under Email Policy / Spam Filtering in the TMG console try disabling "Sender Reputation"

    Microsoft need to somehow allow TMG to ignore system generated entries in the IP block list - otherwise TMG and Exchange are going to continuously fight each other.
    27 ianuarie 2010 16:58
  • Under Email Policy / Spam Filtering in the TMG console try disabling "Sender Reputation"
    Try, not help.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    27 ianuarie 2010 17:53
  • For those for whom email is flowing and are simply concerned at the reapplication of TMG policy, there is a setting in the troubleshooting node of TMG that allows you to disable email integration - essentially preventing TMG from monitoring and overriding config changes in Exchange / FSE.

    I too am suffering this problem - I dared to add an entry to the FSE backscatter excluded domains list - and TMG has been offended ever since! Curiously, I can see in the logs that the transport config IS being updated every few minutes, but I have no idea what these config changes are, as it doesn't seem to be exposed in the log.

    While not an effective solution, hopefully this is a viable workaround for some.
    4 februarie 2010 17:09
  • Hi All,

    I am having the same Problem.
    Forefront TMG 2010, with Exchange 2010 Edge Role and Forefront Protection 2010 for Exchange Server on Windows Server 2008. Edge Subscription is configured and working. All Services are Running and Mailflow is working properly.

    But i have these 31506 Error all 2-3 Minutes in the Eventlog. Not very nice :(

    Regards
    Andres

    -- MCSE 2003 MCSA 2003 Messaging MCITP: Enterpise Administrator MCTS: Windows Server 2008 MCTS: Exchange Server 2007 Configuration MCTS: Microsoft SQL Server 2005 VCP - VMWare Certified Professional
    3 martie 2010 23:23
  • I send this information in MS and get support case.
    2 weeks a go. No ansver.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    4 martie 2010 05:53
  • I send this information in MS and get support case.
    2 weeks a go. No ansver.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert

    Any news on this subject?
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    8 martie 2010 19:33
  • No, wayting......
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    9 martie 2010 06:06
  • Hi all,

    I was hoping that Update Rollup 2 für Exchange Server 2010 solve the Problem - but it did not...

    Regards
    Andres

    -- MCSE 2003 MCSA 2003 Messaging MCITP: Enterpise Administrator MCTS: Windows Server 2008 MCTS: Exchange Server 2007 Configuration MCTS: Microsoft SQL Server 2005 VCP - VMWare Certified Professional
    10 martie 2010 20:01
  • SAME PROBLEM HERE.

    going to try the sender rep. workaround....

    Hope MS can shed some light!

    Thanks
    Diego Castelli
    18 martie 2010 13:24
  • Incedent is escalated in europe office.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    18 martie 2010 15:37
  • Incedent is escalated in europe office.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert

    Thanks, keep us updated.
    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    18 martie 2010 19:01
  • Thanks DJ SPY!

     


    Diego Castelli
    23 martie 2010 12:40
  • Having the same isues here aswell. Hope a solution come forward soon.

    Chris

    25 martie 2010 11:50
  • We are also seeing the same behavior.  Fresh install of Exch2010, FPE, TMG.  Mail seems to be flowing fine.  Just getting the event log, and the tmg log every couple of minutes.  Will try the sender rep thing.  Has anyone received a viable fix from MS yet?
    7 aprilie 2010 16:37
  • DJ Spy

    Is there any Update on this Topic?

    Regards Andres


    -- MCSE 2003 MCSA 2003 Messaging MCITP: Enterpise Administrator MCTS: Windows Server 2008 MCTS: Exchange Server 2007 Configuration MCTS: Microsoft SQL Server 2005 VCP - VMWare Certified Professional
    15 aprilie 2010 12:49
  • MS Engineer working on this problem.

    I have checked the TMG trace that you sent us and I do see the sequence related to the event 31506:

     [1]17F8.10A4::02/18/2010-11:48:00.650 [SMTPPROTECTION]Override unexpected configuration, signalling an event: E-Mail Policy - Configuration Reapplied

    The Email policy configuration seems to be reapplied because the below Exchange Cmdlet is executed a few seconds before (this Cmdlet removes the receive connector named External_Mail_Servers).

    [1]17F8.10A4::02/18/2010-11:47:54.817 [SMTPPROTECTION]( 00000000005ECF52 )Invoke Command:Remove-ReceiveConnector -Identity External_Mail_Servers -Confirm $false

    Im trying to understand why this Cmdlet is called and if it is the cause of every 31506 event occurrences.

     


    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    15 aprilie 2010 14:06
  • All right, the MS Engineers are still at work.

    Thank's for the Update DJ Spy.

    Regards Andres


    -- MCSE 2003 MCSA 2003 Messaging MCITP: Enterpise Administrator MCTS: Windows Server 2008 MCTS: Exchange Server 2007 Configuration MCTS: Microsoft SQL Server 2005 VCP - VMWare Certified Professional
    15 aprilie 2010 15:08
  • Thanks 4 updates DJ Spy! c u!
    Diego Castelli
    17 aprilie 2010 12:36
  • This is still a big problem.  Microsoft needs to fix this.  Microsoft Forefront TMG Managed Control can't start because there are IP addresses in the Exchange IP Block List.  Here is a workaround:

    1. Open Exchange Management Shell

    2. Type "get-ipblocklistentry | remove-ipblocklistentry" to remove all address from the IP Block List (don't worry Exchange will put them back soon enough).

    3. Start Microsoft Forefront TMG Control service

    Exchange will continue to add IP addresses to the block list and Forefront will still fight it and log an error, but at least your firewall will start.  Of course the next time you make a policy change and try to apply it, most likely the TMG Managed Control Service won't start and you'll have to use the workaround above.

     

    It's like Microsoft never tested this product.  Sad.

    24 aprilie 2010 14:47
  • I can confirm error Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration on server 'TMG' when products like Forefront TMG, Forefront Protection Manager for Exchange and Exchange Edge server were installed on the same server.

    I see this error in Application Log every hour, when Exhange Hub Transport server initiates EdgeSync.

    Mail flows seems okay, except I have this annoying error in the log.

     


    MCP, MCSA 2003, MCSE 2003
    28 aprilie 2010 08:49
  • I too have this issue.

    We have Exchange Edge role, Threat management gateway and Forefront protection all on the 1 server.

    I have noticed that TMG and Forefront protection dont work well together. Eg in TMG i have all the Virus and content filtering enabled..in particular the message body filter.

    If i create rules for say File filter (block executable) and Message body filter for english profanity, they appear in Forefront protection under Policy management - filters - filter lists.

    However, if i do it the othr way rount TMG overides and removes the rules, and i get the  dreaded 31506 error. This is annoying as with FP i can import keyword lists, but under TMG i cant. I tried creating the rule on TMG for keywords, this then appeared in FR. I then tried to import the list within FP. However when applied TMG took control and prevented it.

    MS need to get these products working together, as i dont want to have to type in 300 english profanity words into TMG

    28 aprilie 2010 12:00
  • We have the same issue, but in our case we use Exchange Hosted Filtering for the email scanning.  We are supposed to put all of the IP addresses in the always allow area of the external connector for Exchange.  Because TMG re-applies the default configuration every couple of minutes, the addresses don't stay.  What happens now is that when we get a lot of mail at one time, TMG assumes there is an attack from that IP and blocks it for an hour until it resets automatically.  Our server ends up blocking legitimate mail.  If I thought it would be of any value to pay the $99 to MS I would, but it seems like a lot of people have already done so.
    28 aprilie 2010 12:13
  • I also had the same issue.

    Additional it is not possible to set smtp-inbound-logging on the external connector to verbose. TMG is setting it back to none. No smtp-receive-logs and no possibility to test, if non-spam-mails are rejected by TMG.

    It really seams that MS never tested this configuration. I finally gave up and installed a seperate edge server. Now everything is working fine and I get my smtp-logs.

    Regards

     

    1 mai 2010 07:24
  • Hi, hkillerm,

    what do you mean by "separate edge server", just edge with FF without TMG?

    Best regards

    Martin

    1 mai 2010 16:43
  • Hi,

    yes, it takes two machines, one TMG without "mailprotection" (just TMG, no exchange edge and no forefront) and another with exchange edge and forefront protection, just the same configuration as with ISA-server.

    At the first look for small environments it seemed to be a good idea to consolidate "exchange edge" and "forefront for exchange" to TMG to one machine, but I depend on smtp-logs to controll anti-spam behaviour of TMG and so really I cannot use it.

    Best regards
    hkillerm

    2 mai 2010 06:49
  • Thanks, I was thinking about it. But it needs another server :-( Do you have the Edge inside or outside your domain?

    Best regards

    Martin

    2 mai 2010 08:03
  • Hi,

    yes, it takes two machines, one TMG without "mailprotection" (just TMG, no exchange edge and no forefront) and another with exchange edge and forefront protection, just the same configuration as with ISA-server.

    At the first look for small environments it seemed to be a good idea to consolidate "exchange edge" and "forefront for exchange" to TMG to one machine, but I depend on smtp-logs to controll anti-spam behaviour of TMG and so really I cannot use it.

    Best regards
    hkillerm


    I 'sold' the TMG/Exchange/FPE setup to two customers, before I got aware of the problems with this setup. First customer choose for two servers in the DMZ, both with the TMG/Exchange/FPE combination. Just Standard Editions so no array, customer planned on manually keeping the configurations identical. Before building the environment at customer's site I found crashing Exchange and TMG services in my lab, and also saw the issue we are discussing here in this topic.

    Still I've built the environment with customer and when we noticed that services were crashing on both identical servers, so we opened a case with PSS. That was 24th of february. Today they are still working on troubleshooting and there's no indication that a solution is available on a short time.

    This issue was now delaying the project so we choose to build two seperate servers for both tasks, one with TMG for web publishing and one with Exchange ET role and FPE for spam and virus scanning. We kept the other two servers to allow PSS to continue to investigate.

    For the other customer the building of the environment is scheduled within two weeks. If PSS has no fix for the crashing services and event log flooding, then we'll have to seperate the roles for that customer too. Currently I'm not advising my customers to combine TMG, Exchange and FPE.


    With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
    2 mai 2010 09:47
  • Hi Jetze,

    thank you for your reply. I hope that Microsoft will find out the solution, as we have small enviroment and spare server is a "little" problem. At the moment I have FPE installed directly on Exchange CAS/HUB/MBX which is not the best solution at all.

    Thanks

    Kiwisek

    3 mai 2010 06:40
  • Hi Martin,

    as Exchange Edge 2010 is fully supported as domain member I installed it that way with two nics, one in the perimeter network of TMG, the other in the internal network. For me it works perfect.

    regards
    hkillerm

    3 mai 2010 16:05
  • Hi hkillerm,

    I would prefere to put in into DMZ, as I am littlebit affraid to place domain connected machine directly to Internet wih only embedded firewall. I will try to "spare" some server ;-)

    Thanks and best regards

    Kiwisek

    4 mai 2010 19:46
  • Hi Kiwisek,

    as I posted I put the external nic of my exchange edge into the perimeter network of th TMG. So it is not only protected by the embedded local firewall but also by the TMG.

    But I agree, my design is not the solution for all networks. It depends on the special requirements and demands of every single company and must fit them.

    Are there any updates from MS support to our problem with TMG??

    Best regards
    hkillerm

    9 mai 2010 06:21
  • I too am getting the 31506 error, but mail flow is fine, and I have no other issues with TMG or Exchange.  I have even tried disabling edge sync, reapplying the policy at the exhange server and enabling edge sync again as a work around posted here:

    http://blogs.technet.com/yuridiogenes/archive/2010/04/02/unable-to-add-an-additional-ip-on-receive-connector-on-exchange-edge-when-using-e-mail-protection-feature-on-forefront-tmg-2010.aspx

     


    Michael R. Mastro II
    12 mai 2010 14:02

  • A am wondering how this solution should work as only configuration data of the send connectors are part of edge sync data, look at

    http://technet.microsoft.com/en-us/library/bb232177.aspx

    Receive Connector configuration is not affected by edge sync. I would be curios if the additional ip-address of the receive connector is still there after a reboot of TMG.

    I am looking for an answer.

    Best regards
    hkillerm

     

    12 mai 2010 14:39
  • I think that no matter what the issue is, be it exchange or Forefront protection, that TMG is overwriting any configuration changes. These products need to work hand in hand rather than 1 dominant product.

    Yes if TMG recognises a configuration changes that opens a security hole, by all means over-ride ,but in our case the simple important of keywords into Forefront, should be picked up by TMG and acknowledged.

     

     

    12 mai 2010 14:57
  • have you guys gotten this problem solved ?

    I also had a problem with the IP block list and these error messages...

    now I set the sender reputation to default level 7, still same problem.

    I now got tons of error messages in event log and TMG dashboard...

    Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration on server

    and

    A configuration update for Microsoft.Exchange.Transport.ReceiveConnectorConfiguration has successfully completed

    This problem is a real annoyance......It looks like it is the receive connector trying to get updated from the edgesync. But I belive that receive connectors arnt synced via edgesync..

    Please help....

    21 mai 2010 12:35
  • I was having the problem with "Configuration Reapplied" after I did the Edge subscription from the TMG/Edge/Forefront for Exchange. It would sync (after restarting the EdgeSync service on the Exchange server) and then I'd see the error, and EdgeSync would no longer work. I did a *facepalm* when I fixed this.

    In the Forefront TMG console, go to the E-Mail Policy category, E-mail Policy tab, and check "Edge Subscription COnnectivity". I enabled this and it has since worked like a charm, after of course resubscribing to the Edge, and restarting EdgeSync service on the main Exchange server.

    I hope this helps someone else, and that I'm not too late to the game!

    22 mai 2010 19:52
  • Well I disabled Edge Subscription Connectivity, then enabled Edge Subscription Connectivity, then made new edge subscription file, then resynched.... still getting the error.  So for some people it work, some it doesn't.
    Michael R. Mastro II
    28 mai 2010 01:13
  • The problem escalated in redmond to isa team.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    28 mai 2010 04:51
  • Do we continue without answers?

    16 iunie 2010 10:24
  • I have some information from MS Support.

    Finally the product team accepted to investigate this bug before SP2.

    This means that we should have a post SP1 hotfix solving this problem (SP1 is expected very soon – stay tuned on http://blogs.technet.com/b/isablog/).

     


    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    23 iunie 2010 16:34
  • Thanks for the info. The SP1 is already available form Microsoft Download Center. I hope they will solve this annoying bug soon.

    25 iunie 2010 11:43
  • SP1 DONT SOLVE THIS PROBLEM!!!!!!!!!!!!!!
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    25 iunie 2010 20:10
  • I know, I just wanted to say that it is already available.
    26 iunie 2010 05:48
  • Hi,

    I am only wondering, what they did since TMG was released. Additional to the bug

    http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/17002e2c-316b-48ec-8d3e-6d7b11b312e4/

    I found another confirmed bug. So TMG does not support certificates issued with the new (but not really new) Windows 2008 templates.

    All I do is to forget the feature "Mailprotection", use old certificates and wait for the next version of TMG fully supporting IPv6.

    Best regards
    hkillerm

    26 iunie 2010 06:49
  • Just a little update,

    i can confirm i deployed 3 more TMG with mail protection and there is always the same bugs.


    Diego Castelli
    6 iulie 2010 10:44
  • The problem is in localization!!!!!!!!!!!!

    If bild system only on en-EN localy all work with out errors.


    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    6 iulie 2010 11:33
  • I have now seen the exact same error on two different environments, one of thoose with TMG std and the other with TMG Ent, no different with or without TMG SP1.

     

    8 iulie 2010 09:12
  • Thanks for the info. I will try it soon. Do you think that the locale can have inpact on FFPE function?

    Best regards

    Martin

    9 iulie 2010 07:16
  • About locale my say engineer from MS Support.
    MCSE:S, MCSE:M, MCITP, MCTS, CCNA, CCDA Infrastructure expert
    9 iulie 2010 07:38
  • Has anyone received anymore direction from MS on this?  I have applied SP1 and it does not fix the issue.
    30 iulie 2010 22:02
  • SP1 is not a solution for this problem. Hopefully there will be hotfix before SP2.
    31 iulie 2010 07:02
  • Found this useful, temporary fix.

     

    http://www.howexchangeworks.com/2010/08/disable-email-policy-integration-mode.html

    • Propus ca răspuns de WalkerJohny 9 august 2010 11:23
    9 august 2010 11:21
  • Have you seen this article: http://blogs.technet.com/b/isablog/archive/2010/08/24/unable-to-receive-e-mails-from-the-internet-using-e-mail-protection-feature-on-forefront-tmg-2010.aspx 

    I am about to troubleshoot two different deployments with this issue today, I get back to you when I have checked this out.

    7 septembrie 2010 05:05
  • Hi All

    The Problem is now finally solved with Software Update 1 for TMG 2010 SP1 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d

    http://blogs.technet.com/b/isablog/archive/2010/09/20/software-update-1-for-microsoft-forefront-threat-management-gateway-tmg-2010-service-pack-1-now-available-for-download.aspx

    I have also Updated the Exchange 2010 SP1 (Edge Role) on the TMG http://www.microsoft.com/downloads/details.aspx?FamilyID=50b32685-4356-49cc-8b37-d9c9d4ea3f5b&displaylang=de

    No more errors since then :o)

    Regards

    Andres


    -- MCSE 2003 MCSA 2003 Messaging MCITP: Enterpise Administrator MCTS: Windows Server 2008 MCTS: Exchange Server 2007 Configuration MCTS: Microsoft SQL Server 2005 VCP - VMWare Certified Professional
    22 septembrie 2010 19:11
  • Sad to report this is not fixed.

     

    Running TMG with SP!, exchange edge server with SP1, also Forefront for exchange edge server.

    If i apply a change eg as in my post before (import a profanity list) TMG then overwrites it again, thus losing all the changes i made.

    23 septembrie 2010 15:07