Lukas Beeler's IT Blog

Our apprentice is doing an a project for his final exams (IPA). For that, we’ve chosen to replace our current Exchange 2007 Edge with a Forefront TMG 2010 / Exchange 2010 Edge combination.

As the project progressed, we’ve found a few extremely irritating and hard-to-debug issues, which needed my involvement to figure out the root cause and get them resolved, without compromising the exam results.

Be aware that most of the debugging and research here was mostly done by our apprentice, not by myself.

There are several key issues with TMG, that we’ve noticed so far:

IP Blocklist Entries

If IP Blocklist Entries are present in Exchange 2010 Edge, enabling E-Mail Policy Integration will cause TMG to reject all further changes, with the following error message:

Windows Could not Start the "Microsoft Forefront TMG Managed Control" service on Local Computer
Error 0x80070057 : Parameter is incorrect

I’ve found this solution in the TechNet forums. You need to remove all IP Blocklist and Allow List Entries.

Extremely slow boot

Forefront TMG 2010 with Exchange 2010 and FPE 2010 installed will boot extremely slowly, requiring up to 30 Minutes to boot. This issue is caused by the coexistence with Exchange 2010.

Again, i’ve found a solution in the TechNet forums.

You need to set the service Microsoft Exchange Transport and Microsoft Forefront TMG Managed Control to Automatic (Delayed Start). This will reduce the boot time to about 3 minutes.

lsass.exe crashes when creating Edge subscriptions

The next issue we’ve noticed is that while the initial edge subscription worked, the second one didn’t. It crashed lsass.exe, which subsequently caused a bluescreen. Not a very nice experience.

Again, we’ve found a solution on the TechNet forums, and this is getting worse by the minute. The lsass.exe crash can be mitigated by removing all except one SSL certificate – not exactly a good approach since a TMG likely has multiple SSL certificates for publishing a variety of services. But it worked. Except that mailflow didn’t.

Outgoing Mailflow doesn’t work with TMG 2010

Of course, stuff wasn’t working yet. While incoming mailflow now worked flawlessly, outgoing mailflow didn’t – mails where stuck in the queue with “Primary Target IP Address responded with 421 Unable to establish connection”.

We’ve tried to look at this, but everything seemed alright – but we couldn’t modify any connectors on the Edge server – TMG prevented this, and thus we had no Verbose logging from the Receive Connectors. Changing the configuration in the Exchange Edge console resulted in the following error message:

Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration on server

So i’m not supposed to do that. The TMG console didn’t give me the option of enabling Verbose logging. We were stumped.

Luckily, further research showed that one could disable the integration between the Exchange Edge role and Forefront TMG – this was mentioned on this TechNet forums post.

After disabling this integration, i was able to allow Verbose logging. Which didn’t help at all, since the Exchange 2010 HT just wouldn’t show up in them, suspecting a deeper issue.

At that point, we’ve checked the receive connectors that were created by Forefront – and the internal Receive Connector didn’t allow Exchange Server Authentication. After setting that to enabled, we were finally able to send mail successfully using the Exchange Edge services.

Final words

Forefront TMG 2010 still seems to be in Beta. The integration with Exchange 2010 doesn’t work as nicely as it should. I hope these things get fixed soon with Hotfixes for TMG 2010. Until then, we’ve found workarounds for all of these issues.

I’m publishing this article as quickly as i can, because i’m most likely not the only one with these issues.

Today marks the second and last day of TechDays 2010 in Basel.

I have attended TechDays 05, 06, 07, 08 and 2010. While i’ve always had something complain about, there was always something to gain from attending. Not this time.

When reading this, keep in mind that i’ve only attended IT Pro Sessions (with the exception of the Windows Phone 7 Developer Briefing).

There were to many things that have gone wrong.

• The keynote was boring and it didn’t even remotely have anything to do with the job of an IT Pro or a Developer. The keynote speaker also used a MacBook with OS X/Keynote.app. Seriously.
• The food was worse than what I got to eat at my Berufsschule (which wasn’t very good).
• The long lines were still there – waiting 20 minutes in line for bad food isn’t my idea of spending the day. They should’ve solved this problem by now.
• No more English talks. Why? I think we could use some experts.
• All the talks were very basic. No In-Depth stuff. Nothing to learn.
• I don’t want a basic talk about what OCS 2007 R2 can do. We’ve been using this for two years. It’s old news. Talk about Wave 14.
• Giving a basic intro on what SCVMM and Hyper-V are is not an IT Pro track – these technologies have been out since years and everyone that’s interested will already know those basics
• Make sure your stuff works. 75% of the demos did not work. Most of them because of bad internet connectivity. Yeah, i guess moving all the stuff to the “cloud” is a good idea.

The location and the whole ship theme was okay though. The evening event was also nice, and they did have good food there (different catering organization). Not sure what some danish bloke was doing there yelling “in the cloud” about 50 times. I wanted to see some chair-throwing.

Another interesting tidbit: The number of iPhones at the event. I’ve seen more iPhones than WinMo phones.

So, did you attend TechDays? What did you think about it?