Hi Nick,
please unmark Olav's answer, my proposal was accidental. His solved problem was completely unrelated to Kiwisek's (and mine) problem, which is still an uresolved isuue. Maybe there is somebody who can help.
Thanks,
Dawid
"And I have found one more probelm. After restart the Microsoft Forefront TMG Control service stays off and I have to start it manual"
Hi Martin,
Yes, I manually started the IsaManagedCtrl serrvice for a while until I finally had the service startup setting "Automatic (delayed start)" working. Or maybe I solved that one after a certificate configuration change. Still no incoming mail and error 31506 keeps repeating while an edge subscription is active.
At some points I probably did not have the correct certificate setup. I've been searching and frankly I'm still not sure what is expected from Exchange/TMG. Right now I'm running like this:
- Edge: The TMG/Exchange edge server has 3rd party EV SSL SAN cert for IIS/Exchange use (covering mail. owa. and autodiscover.).
- Hub: The Exchange hub/cas/mailbox server has a cert with CN computername.domainname.rootdomain from our enterprise CA.
The 3rd party cert is added to the web listenerer of the TMG. Running Get-ExchangeCertificate on each server returns no other certificates. The edge server has SMTP set with Enable-ExchangeCertificate, and the hub has likewise enabled SMTP, IMAP, POP and IIS.
While trying some shots in the dark I deleted the self-issued cert once created by the Exchange Edge installation, but re-creating, or adding a cert from the enterprise CA did not help.
I get errors while trying to see the properties of the two Receive Connectors from the EMC on the edge:
- The operation couldn't be pererformed because object '<EdgeServerName>\External_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers''.
- The operation couldn't be pererformed because object '<EdgeServerName>\Internal_Mail_Servers' couldn't be found on 'localhost'. It was running the command 'Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers''.
Then, from the shell all loos ok as far as I can see:
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\External_Mail_Servers'
Identity Bindings Enabled
-------- -------- -------
Helm\External_Mail_Servers {85.196.xxx.xxx:25} True
[PS] C:\Windows\system32>Get-ReceiveConnector -Identity '<EdgeServerName>\Internal_Mail_Servers'
Identity Bindings Enabled
-------- -------- -------
Helm\Internal_Mail_Servers {192.168.xxx.xxx:25, 85.196.xxx.xxx:25} True
I'm not sure if this has anything to do with the lost mail.
Otherwise it looks like settings keep in sync now.
Logging in TMG filtered by SMPT and LDAP (Edge) and LDAPS (Edge) always return two entries while sending an e-mail to the organization:
- Initiated Connection <EdgeServerName> 29.12.2009 19:26:44
Log type: Firewall service
Status: The operation completed successfully.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: External (213.158.233.150:57511)
Destination: Local Host (85.196.xxx.xxx:25)
Protocol: SMTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 213.158.233.150
- Closed Connection <EdgeServerName> 29.12.2009 19:26:49
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: [System] Allow SMTP traffic to the local host for mail protection and filtering
Source: External (213.158.233.150:57511)
Destination: Local Host (85.196.xxx.xxx:25)
Protocol: SMTP
Additional information
Number of bytes sent: 2054 Number of bytes received: 467
Processing time: 5414ms Original Client IP: 213.158.233.150
Later, this one repeat (like error 31506), trying from hub to edge:
- Denied Connection <EdgeServerName> 29.12.2009 19:34:04
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
Rule: None - see Result Code
Source: Internal (192.168.xxxx.xxx:11936)
Destination: Local Host (192.168.yyy.yyy:50636)
Protocol: LDAPS(EdgeSync)
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.xxx.xxx
Any ideas?
Thanks.
-olav
Hi, I'm having the same problem.
It looks like I can't set up the TMG e-mail policy since it is getting overwritten all the time. We can send e-mail but can't receive. I'm really lost (and embarrassed) after trying for two weeks.
Exchange installation is not exactly our core activity. We have been running our own Exchange servers because mailbox access and other messaging operations have been essential in several of our software products. We also run our company mailboxes from this installation. I decided that we could risk the upgrade for TMG in a low-activity period, without first setting up a lab network. Now I truly regret...
Soon heading for to another solution, I'd like to see if anybody could make anything out of a case like this (please bear with me; I'll try to make it short):
We used to have one Exchange 2007 box and a single ISA2006 at the edge. All was nice. Then the network got replaced by a number of new Windows 2008 servers, and for some reasons we decided to keep it clean Win2008. So the ISA server had to go, replaced by a few separate edge servers while waiting for the Win2008 ready TMG. Later, all servers were upgraded to Win2008 R2, we set up a plain Exchange 2010 box set up with CAS/HUB/mailbox roles, and a plain edge server with Exchange 2010 edge role. Ok so far, but I couldn't make the web/mobile client access work this time.
A few weeks ago the Forefront Trust Management Gateway was RTM, and the TMG's integrated support for the Exchange edge installation was almost too good to be true. I saw the opportunity to more easily control the web/mobile client access, and at the same time free up a couple of servers. We already had a third party EV SSL SAN certificate for TMG and Exchange. Longing back to ISA server I found the TMG to be a great product! At least while setting up access rules, web publishing and similar.
By now mailboxes had been moved to the Exchange 2010 box, and the 2007 box had been properly uninstalled. I removed the subscription for the first Exchange 2010 edge server, and subscribed to the TMG box which had been installed plainly with Exchange 2010 edge role, Forefront 2010 for Exchange and TMG, in that order.
At first we could receive e-mail but not send. After checking certificate installations, re-subscribing, repairing installations, and reading all I could find on the subject, it looked the like (according to some postings) the installation order somehow had been messed up after all. Removing and reinstalling all on the TMG (following notes/screenshots) simply made the sending of e-mail work instead of receiving.
The TMG server is a member server. This is the only thing I can think of not being straight from the recommendations. (We would of course prefer a separate dmz/edge domain with a one-way trust, and will consider that for later)
From what I have been reading the TMG can be joined to the internal domain, while it is recommended that a separate Exchange edge server is stand-alone or in a DMZ network. And the Exchange edge is recommended on the TMG. From this I make out that our setup is ok as long as we accept the security issue of exposing the Active Directory to an edge computer (for now).
Well, anybody know otherwise?
Any help would be very much appreciated.
Sad to report this is not fixed.
Running TMG with SP!, exchange edge server with SP1, also Forefront for exchange edge server.
If i apply a change eg as in my post before (import a profanity list) TMG then overwrites it again, thus losing all the changes i made.
Hi All
The Problem is now finally solved with Software Update 1 for TMG 2010 SP1 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d
I have also Updated the Exchange 2010 SP1 (Edge Role) on the TMG http://www.microsoft.com/downloads/details.aspx?FamilyID=50b32685-4356-49cc-8b37-d9c9d4ea3f5b&displaylang=de
No more errors since then :o)
Regards
Andres
