Recently I encountered TMG Managed Control Service crashing at a client site where they have been using TMG as a back-end firewall. The same server was also being used as an Exchange 2007 Edge server also running Forefront Protection for Exchange 2010. All server roles were patched with the latest updates and rollups. The connectivity between the Edge and the Hub was implemented successfully and also verified using Test-EdgeSync. TMG also showed Edge and Hub connectivity. Everything looked healthy but the IT administrator was receiving email alerts with the following:
“Email Policy could not be applied. Value does not fall within the expected range.”
Went to the services MMC and tried to start the TMG Managed Control Service manually. The service failed to start. Upon checking the event logs, I found that the Application Log showed:
- Event ID 31309: E-mail policy configuration settings cannot be applied.
- Event ID 31308: The Forefront TMG Managed Control service failed to initialize. Error information: The type initializer for ‘Microsoft.Isa.Smtp.ExchangeRunspace’ threw an exception.
- Event ID 31307: The Forefront TMG Managed Control service was stopped gracefully.
and the System Log showed Event ID 7023: The Microsoft Forefront TMG Managed Control service terminated with the following error: %%-2146233036
The next step was to check the Edge and Hub communication and as expected it should that the sync was not working. TMG console showed everything configured and all Anti-Spam rules enabled. I had no choice but to pick up the phone and shake someone up in Microsoft technical team for an answer. Sadly, no clue from there too, but one thing that came up in the discussion was to clear all Anti-Spam settings and then give this a reboot. Long process, but to cut things short, here is the solution that worked.
For those facing this issue, open up Exchange Shell on the Edge server and run:
This should come up with a list of entries. The next step is to remove these. Run the following command:
Get-IpBlockListEntry | RemoveIpBlockListEntry
To clear all entries, answer with an “A”. Started the service this time and the TMG Managed Control Service started successfully.
Though running the command of Get-IpBlockListEntry after 10-15 minutes showed that the list was building up once again and after 30 minutes the TMG managed Control Service crashed once again.
The only workaround that I could implement to fix this permanently was to disable the Sender Reputation Service in TMG. It has been more than a week now and the TMG Managed Control Service has not crashed once.