TMG 2010 seems to be still in Beta
Our apprentice is doing an a project for his final exams (IPA). For that, we’ve chosen to replace our current Exchange 2007 Edge with a Forefront TMG 2010 / Exchange 2010 Edge combination.
As the project progressed, we’ve found a few extremely irritating and hard-to-debug issues, which needed my involvement to figure out the root cause and get them resolved, without compromising the exam results.
Be aware that most of the debugging and research here was mostly done by our apprentice, not by myself.
There are several key issues with TMG, that we’ve noticed so far:
IP Blocklist Entries
If IP Blocklist Entries are present in Exchange 2010 Edge, enabling E-Mail Policy Integration will cause TMG to reject all further changes, with the following error message:
Windows Could not Start the "Microsoft Forefront TMG Managed Control" service on Local Computer Error 0x80070057 : Parameter is incorrect
I’ve found this solution in the TechNet forums. You need to remove all IP Blocklist and Allow List Entries.
Extremely slow boot
Forefront TMG 2010 with Exchange 2010 and FPE 2010 installed will boot extremely slowly, requiring up to 30 Minutes to boot. This issue is caused by the coexistence with Exchange 2010.
Again, i’ve found a solution in the TechNet forums.
You need to set the service Microsoft Exchange Transport and Microsoft Forefront TMG Managed Control to Automatic (Delayed Start). This will reduce the boot time to about 3 minutes.
lsass.exe crashes when creating Edge subscriptions
The next issue we’ve noticed is that while the initial edge subscription worked, the second one didn’t. It crashed lsass.exe, which subsequently caused a bluescreen. Not a very nice experience.
Again, we’ve found a solution on the TechNet forums, and this is getting worse by the minute. The lsass.exe crash can be mitigated by removing all except one SSL certificate – not exactly a good approach since a TMG likely has multiple SSL certificates for publishing a variety of services. But it worked. Except that mailflow didn’t.
Outgoing Mailflow doesn’t work with TMG 2010
Of course, stuff wasn’t working yet. While incoming mailflow now worked flawlessly, outgoing mailflow didn’t – mails where stuck in the queue with “Primary Target IP Address responded with 421 Unable to establish connection”.
We’ve tried to look at this, but everything seemed alright – but we couldn’t modify any connectors on the Edge server – TMG prevented this, and thus we had no Verbose logging from the Receive Connectors. Changing the configuration in the Exchange Edge console resulted in the following error message:
Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration on server
So i’m not supposed to do that. The TMG console didn’t give me the option of enabling Verbose logging. We were stumped.
Luckily, further research showed that one could disable the integration between the Exchange Edge role and Forefront TMG – this was mentioned on this TechNet forums post.
After disabling this integration, i was able to allow Verbose logging. Which didn’t help at all, since the Exchange 2010 HT just wouldn’t show up in them, suspecting a deeper issue.
At that point, we’ve checked the receive connectors that were created by Forefront – and the internal Receive Connector didn’t allow Exchange Server Authentication. After setting that to enabled, we were finally able to send mail successfully using the Exchange Edge services.
Final words
Forefront TMG 2010 still seems to be in Beta. The integration with Exchange 2010 doesn’t work as nicely as it should. I hope these things get fixed soon with Hotfixes for TMG 2010. Until then, we’ve found workarounds for all of these issues.
I’m publishing this article as quickly as i can, because i’m most likely not the only one with these issues.
Marc Grote:
Hi Lukas,
I’ll second this, and I also hope that coming Hotfixes resolve this issue.
I suggest to send your issues directly to Microsoft, or if you want I can establish a contact to a Microsoft employee who is responsible for ISA / TMG to escalate your issues
regards Marc
2. May, 2010, 13:55Tommy Evensen:
I had the same problems…so I belive they havnt tested it as good as they should..
Now I have another problem….1 specific SSL enabled website, worked flawlessly before, but with TMG, we se various timeouts, slowdowns and not beeing able to load the page at all.
25. June, 2010, 14:15Better yet, opening the website on the TMG server itself, is lightning fast, but not from the clients on the LAN..
Strange one…….
Will Moore:
I ran into every one of these issues and then some. Most of the issues, I too, was able to workaround. I finally got all the Exchange2010-Edge/Forefront CRAP working after an 18 hour+ day only to come in to work the next day and have the server puke all over itself from trying to do too much. I only have about 40 internal users and my server is a Dual Proc./Dual Core 3.2 ghz machine with 4 GB RAM. I either mis-calculated on the server sizing or more likely MS has outdone itself in making this product suck (Not TMG but the Exchange/TMG integration). Anyway, I ended up ripping all the Exchange/Forefront/Email Policy stuff out of the TMG server (in the middle of the day because mail stopped working) and just setup an inbound SMTP rule directly to exchange.
We are a MS partner and get TMG Standard for free. I have always been a checkpoint (Real Firewall) proponent and unfortunately this experience has further proven to me that ISA is a load of poop.
2. July, 2010, 02:15Ian Currie:
Hi Lukas,
Regarding the 31506 event “TMG Detected changes…..”. After you completed the monitoring, did you re-enable Exchange-TMG integration? And, if so, did it stop the event from being triggered?
We’ve been waiting for a long time for Microsoft to fix this one and nothing in SP1. It occurs if changes are made directly to the Exchange Edge server (best avoided all together,I know). But how to correct this, no one seems to know.
Ian
7. August, 2010, 23:21