I think that no matter what the issue is, be it exchange or Forefront protection, that TMG is overwriting any configuration changes. These products need to work hand in hand rather than 1 dominant product.
Yes if TMG recognises a configuration changes that opens a security hole, by all means over-ride ,but in our case the simple important of keywords into Forefront, should be picked up by TMG and acknowledged.