Unable to Add an Additional IP on Receive Connector on Exchange Edge when using E-Mail Protection feature on Forefront TMG 2010

1. Introduction

Consider a scenario where Firewall Administrator configure E-Mail Protection feature on Forefront TMG 2010 and enable EdgeSync traffic as shown below:


The environment was working fine but later the Firewall administrator wants to add an additional IP on the Receive Connector (in the Forefront TMG terminology this will be the External SMTP Route). However when try to open the properties of this connector on TMG and go to routing tab on TMG we have the following message:


Note: When EdgeSync is enabled you can’t make direct changes on some properties of the Exchange Edge and should do it via Exchange Hub Transport Server. For more information the settings that are replicated via EdgeSync see http://technet.microsoft.com/en-us/library/bb232177.aspx

Firewall administrator contacted the Exchange Administrator that tried to change this setting directly on the Exchange Edge console by following the procedure below:


After some time that this setting was applied the following message appeared on Forefront TMG Alerts:


After this message appears, this configuration is reverted back to the original state (without the additional IP on the send connector).

2. Why I cannot change my Exchange Edge Settings?

This is an expected behavior when Exchange Edge is installed on the same computer as Forefront TMG 2010 as part of the E-Mail Protection feature. Forefront TMG Managed Control Service is responsible for identifying changes on the E-Mail protection policy and replicates it from TMG to Exchange Edge, which means that changes done directly on the Exchange console will be overwritten.

3. What should I do in this case that I need to add an additional IP on the External connector?

The workaround to add additional IPs after configure EdgeSync via E-Mail Protection on TMG 2010 is to temporally disable EdgeSync via TMG 2010 console as shown below:


After disabling this setting, applying the changes on TMG, you can change the External connector to add the additional IP. Once the additional IP is added you can re-enable EdgeSync using the procedures from Using Mail Protection with Exchange EdgeSync on Forefront TMG.

Comments (2)
  1. Hello Frank,

    Thanks for your contribution. It used to work precisely like that when I wrote the article in 2010. During that time I was working in the TMG Team and these steps were validated. I left the TMG Team in 2011 and all TMG content that you find here in this blog
    are old and from the time I was working with that product. As of now I don’t plan to update those articles but always that you find something that needs a refresh, feel free to leave a comment with updated instructions.

    Thanks again for helping the community.

  2. Frank Stevens says:

    You should update your instructions. 🙂 It doesn’t work like that and TMG will just put it back. But I figured it out. It takes 3 TMG policy updates. What you need to do is disable edge subscription, let TMG update policy. Then go back to TMG, go to mail
    policy and properties of Internal_Mail_Servers. Then in the routing tab add the IP of the server under ‘receive mail from’ section. Apply and let TMG update. It will update exchange edge on all nodes. Then after TMG policy is updated you can go back and enable
    edge subscription and let TMG update policy once again. Check exchange management console and you will see that TMG will allow the addition to stay. Hope this helps someone.

Comments are closed.

Skip to main content