Why does Forefront TMG keep reapplying the e-mail policy configuration?

TMG reapplies the e-mail policy when it detects changes in the Exchange Server or Forefront Protection configuration. Common causes include non-standard locale settings (anything other than EN-US), Exchange configuration changes, or Forefront Protection for Exchange updates. Microsoft released hotfixes to address the excessive reapplication issue.

How do I apply email address policies in Exchange using PowerShell?

Use the Update-EmailAddressPolicy cmdlet. For example: Update-EmailAddressPolicy -Identity 'Default Policy'. To apply to all policies, use Get-EmailAddressPolicy | Update-EmailAddressPolicy. You can also create new policies with New-EmailAddressPolicy and view existing ones with Get-EmailAddressPolicy.

What is the difference between email address policies and email policies in TMG?

Email address policies in Exchange define how email addresses (like SMTP addresses) are generated for recipients based on templates. Email policies in TMG (Forefront Threat Management Gateway) control how email traffic is inspected, filtered, and routed through the firewall. TMG email policies integrate with Exchange Edge transport and Forefront Protection for Exchange to provide spam filtering and malware scanning.

E-mail Policy: Configuration Reapplied

When managing Microsoft Exchange Server alongside Forefront Threat Management Gateway (TMG), administrators frequently encounter the message “Forefront TMG detected changes in Microsoft Exchange Server or Microsoft Forefront Protection configuration, and reapplied the e-mail policy configuration.” This article explains what triggers this message, how email policies work across Exchange and TMG, and the various approaches to resolve recurring reapplication issues.

Understanding the E-mail Policy Reapplication Message

The “e-mail policy configuration reapplied” notification appears in the TMG management console and event logs when TMG detects a change in either the Exchange Server configuration or the Forefront Protection for Exchange configuration. TMG monitors these configurations to ensure its email protection policies remain synchronized with the mail infrastructure.

The message itself is informational in many cases. However, when it appears repeatedly — sometimes every few minutes — it indicates an underlying synchronization problem that should be addressed.

Common Causes of Repeated Reapplication

Locale Mismatch

One of the most frequent causes is a non-standard locale setting on the server. If the system locale is set to anything other than EN-US, TMG can enter a loop where it continually detects a “change” that is actually a locale-related formatting difference. This is a known bug that Microsoft acknowledged and addressed through hotfixes.

Exchange Configuration Changes

Any change to the Exchange organization that affects mail flow can trigger a reapplication:

Adding or removing Exchange servers
Modifying send connectors or receive connectors
Changing accepted domains
Updating email address policies
Modifying transport rules

Forefront Protection for Exchange Updates

When Forefront Protection for Exchange (FPE) receives engine or definition updates, TMG may detect these as configuration changes and reapply the email policy.

Certificate Changes

Updating or renewing SSL certificates used by Exchange for SMTP communication can also trigger the reapplication cycle.

Resolving the Reapplication Issue

Option 1: Apply the Microsoft Hotfix

Microsoft released hotfixes specifically to address the excessive reapplication issue in TMG. Check the Microsoft Knowledge Base for the latest cumulative update for your TMG version. The hotfix corrects the logic that TMG uses to detect changes, preventing false positives from locale differences.

Option 2: Remove Forefront Protection for Exchange

In some environments, removing Forefront Protection for Exchange resolves the issue entirely. This approach is viable if you have alternative anti-malware scanning for email (such as a third-party gateway or Exchange Online Protection).

To remove FPE:

Open Programs and Features on the Exchange server
Uninstall Forefront Protection for Exchange
Restart the Exchange transport services
Verify in the TMG console that the reapplication messages stop

Option 3: Reconfigure the E-mail Policy in TMG

If removing FPE is not an option, you can try reconfiguring the email policy from scratch:

Open the Forefront TMG Management console
Navigate to E-Mail Policy
Delete the existing email policy configuration
Re-run the E-Mail Policy Wizard to recreate it
Ensure locale settings on both the TMG server and Exchange server are set to EN-US

Exchange Email Address Policies

Beyond the TMG-specific email policy, Exchange Server has its own email address policy system that controls how SMTP addresses are generated for recipients. Understanding these policies is important for overall mail management.

How Email Address Policies Work

Email address policies define templates for generating email addresses. When a new mailbox is created or a policy is applied, Exchange uses these templates to stamp addresses on the recipient object.

A default policy is created during Exchange installation:

%g.%s@yourdomain.com    (firstname.lastname@yourdomain.com)

Viewing Email Address Policies

# List all email address policies
Get-EmailAddressPolicy

# View details of a specific policy
Get-EmailAddressPolicy -Identity "Default Policy" | Format-List

Creating a New Email Address Policy

# Create a policy for a specific department
New-EmailAddressPolicy -Name "Sales Department" `
    -RecipientFilter "Department -eq 'Sales'" `
    -EnabledEmailAddressTemplates "SMTP:%g.%s@sales.example.com" `
    -Priority 1

Applying and Reapplying Email Address Policies

Email address policies are not automatically applied when created or modified. You must explicitly apply them:

# Apply a specific policy
Update-EmailAddressPolicy -Identity "Default Policy"

# Apply all email address policies
Get-EmailAddressPolicy | Update-EmailAddressPolicy

Common Scenarios Requiring Policy Reapplication

You need to reapply email address policies when:

A new email domain is added — Create a new policy or update the existing one to include the new domain, then apply it.
A user’s department changes — If policies are filtered by department, the user’s addresses update when the policy is next applied.
Bulk user migrations — After migrating users from one OU or domain to another, policies may need to be reapplied to stamp correct addresses.
Policy priority changes — If you reorder policy priorities, reapply them to ensure the correct policy wins for each recipient.

Checking a Recipient’s Email Addresses

# View all email addresses for a specific mailbox
Get-Mailbox -Identity "john.doe" | Select-Object -ExpandProperty EmailAddresses

# Check which policy applies to a recipient
Get-Mailbox -Identity "john.doe" | Select-Object EmailAddressPolicyEnabled, EmailAddresses

Disabling Policy for Individual Recipients

Sometimes you need a recipient to have a custom address that does not follow any policy:

# Disable email address policy for a specific mailbox
Set-Mailbox -Identity "john.doe" -EmailAddressPolicyEnabled $false

# Then set custom addresses
Set-Mailbox -Identity "john.doe" -EmailAddresses @{
    add = "smtp:custom.address@example.com"
}

TMG E-mail Policy Architecture

Understanding how TMG processes email helps diagnose policy issues:

Inbound email arrives at the TMG server on port 25
TMG applies connection filtering (IP allow/block lists)
The message is passed to the Exchange Edge Transport role
Forefront Protection for Exchange scans for malware
Exchange transport rules and content filtering are applied
Clean messages are relayed to the internal Exchange server

The “e-mail policy configuration reapplied” event occurs when TMG re-synchronizes steps 2 through 5 with the current Exchange and FPE configuration.

Monitoring E-mail Policy Health

Event Log Entries to Watch

Monitor these Event IDs in the TMG-related event logs:

Event ID 23005 — E-mail policy configuration reapplied (informational)
Event ID 23006 — E-mail policy configuration failed to apply (error)
Event ID 14002 — SMTP route configuration error

Using TMG Logging

Enable detailed logging in TMG to track email policy changes:

Open Forefront TMG Management
Navigate to Logs & Reports
Configure logging to capture SMTP Filter events
Review logs for patterns that correlate with the reapplication events

Bonnes Pratiques

Keep TMG and Exchange patched — Apply all cumulative updates and service packs to both products.
Use EN-US locale — Set the system locale to EN-US on all TMG and Exchange servers to avoid the locale-related reapplication bug.
Test email policy changes in a maintenance window — Changes to email policies can temporarily disrupt mail flow as TMG reapplies configurations.
Monitor event logs proactively — Set up alerts for Event ID 23006 (policy application failure) so you catch issues before they impact email delivery.
Document your email address policy hierarchy — Keep a record of all policies, their priorities, and their filters to make troubleshooting easier.

Résumé

The “e-mail policy configuration reapplied” message in Forefront TMG is typically triggered by configuration changes in Exchange or Forefront Protection for Exchange. While often informational, repeated occurrences usually point to a locale mismatch or a synchronization issue that can be resolved with Microsoft hotfixes, by removing Forefront Protection for Exchange, or by reconfiguring the email policy. Understanding both the TMG email policy and Exchange email address policies gives you the full picture needed to manage email infrastructure effectively.