1. Introduction

Consider a scenario where Firewall Administrator configure E-Mail Protection feature on Forefront TMG 2010 and enable EdgeSync traffic as shown below:

Fig1

The environment was working fine but later the Firewall administrator wants to add an additional IP on the Receive Connector (in the Forefront TMG terminology this will be the External SMTP Route). However when try to open the properties of this connector on TMG and go to routing tab on TMG we have the following message:

Fig2

Note: When EdgeSync is enabled you can’t make direct changes on some properties of the Exchange Edge and should do it via Exchange Hub Transport Server. For more information the settings that are replicated via EdgeSync see http://technet.microsoft.com/en-us/library/bb232177.aspx

Firewall administrator contacted the Exchange Administrator that tried to change this setting directly on the Exchange Edge console by following the procedure below:

Fig3

After some time that this setting was applied the following message appeared on Forefront TMG Alerts:

Fig4

After this message appears, this configuration is reverted back to the original state (without the additional IP on the send connector).

2. Why I cannot change my Exchange Edge Settings?

This is an expected behavior when Exchange Edge is installed on the same computer as Forefront TMG 2010 as part of the E-Mail Protection feature. Forefront TMG Managed Control Service is responsible for identifying changes on the E-Mail protection policy and replicates it from TMG to Exchange Edge, which means that changes done directly on the Exchange console will be overwritten.

3. What should I do in this case that I need to add an additional IP on the External connector?

The workaround to add additional IPs after configure EdgeSync via E-Mail Protection on TMG 2010 is to temporally disable EdgeSync via TMG 2010 console as shown below:

Fig5

After disabling this setting, applying the changes on TMG, you can change the External connector to add the additional IP. Once the additional IP is added you can re-enable EdgeSync using the procedures from Using Mail Protection with Exchange EdgeSync on Forefront TMG.