I just used this article to help setup a site-to-site vpn with TMG server in our test environment which is as follows: a single TMG server in our DC office, and 2 TMG servers in our Chicago office in a back-to-back configuration. The internal network located behind the backend firewall in Chicago needs to communicate with the internet network in DC -- therefore a site-to-site vpn was setup.
To get this to work, we had to perform the registry hacks on both servers (DC TMG server, and the Chicago Back-end TMG server) to allow NAT-T in Windows Server 2008 R2. Another thing that we had to do, which was not stated in this particular article was that we also had to create an access rule on the CHI front-end firewall to allow UDP 500/4500 from the *CHI front-end* firewall. I found this a bit puzzling since, on the CHI front-end firewall there was already a publishing rule to allow DC->CHI (back-end firewall), and an access rule for CHI(back-end firewall)->DC. Not sure why the CHI front-end firewall specifically needed an access rule for this to work? (Further puzzling, is that using "Local Host" as the source did not work. Instead, we had to create an entry for the front-end firewall's external NIC IP.)
...just hoping to further understand NAT-T in site-to-site scenarios and how all this works. Thanks in advance.