I'm a little confused about setting up the Email policy. TechNet states that Forefront Protection for Exchange and Exchange Hub tranport role are required for this to work - but why am I allowed to configure it if I don't have either of those installed on my TMG server? The response to this question may make the next 2 questions moot:
During the configuration, the authoritative domain example lists the 2 examples "server.contoso.com, *.contoso.com" - we only have one domain, so would the proper response be simply contoso.com ?
Last, I'm uncertain as to the meaning of "Specify the public domain name or IP address the e-mail listener provides in response to SMTP session initiation messages (HELO,EHLO)" this *sounds* like it should be the external DNS name of my Exchange server, i.e. mail.contoso.com - *not* mail.contoso.local