Forefront TMG Malware Protection and the Unified Access Gateway (UAG)
Forefront Threat Management Gateway (TMG) 2010 includes integrated virus and malware inspection capabilities that provide enhanced protection for clients accessing the Internet through TMG. The scanning engine used by TMG is the same engine included in many Forefront protection technologies such as Forefront Protection for Exchange (FPE), Forefront Protection for SharePoint (FPS), and the forthcoming Forefront Endpoint Protection (FEP), just to name a few. This same scanning engine is also the heart of the Microsoft Security Essentials desktop antivirus offering, which is very highly rated by independent third parties. It has a proven track record of being efficient and performing well, with a high degree of accuracy and extremely low false positives.
Since the Forefront Unified Access Gateway (UAG) 2010 includes TMG, many UAG administrators believe that they can enable TMG malware protection to protect their UAG-published applications. Unfortunately, this does not work. With UAG, all SSL VPN traffic is processed by the UAG ISAPI filter, not the underlying TMG firewall. TMG is used only to protect the UAG host itself, so enabling TMG malware inspection on the UAG system has no effect whatsoever.
If you are thinking you can leverage the malware inspection capabilities when publishing applications using TMG, it still doesn’t work. With TMG, the malware inspection engine works only in forward proxy scenarios (HTTP requests made by TMG protected clients). Malware inspection does not apply to reverse proxy traffic at all in TMG.
Connect
Richard Hicks' Forefront TMG Blog 
Very interesting info, Richard! Can you provide any link to the official documentaion or the product team blog post?
Although I’m sure this is documented officially somewhere, you can see for yourself by looking at the properties of the Malware Inspection Filter. There you will see the direction listed as ‘Outgoing Web Requests’.
So what are the alternatives for malware scanning via Forefront UAG? Is there anyway to scan the inbound traffic at the UAG server? The built in TMG Network Inpection Service seems to be the best bet, however the information at http://technet.microsoft.com/en-us/library/ee522953.aspx suggests that when used with UAG, TMG is not supported as an Intrusion Prevention system? What does this mean?
Currently there are no alternatives for scanning content for viruses and malicious software on Forefront UAG. The Forefront server protection technologies for SharePoint and Exchange are available to protect those applications, but obviously this doesn’t help you for other published applications. We’ve been asking for this functionality in both Forefront TMG and UAG for quite some time. it is possible that future releases may include this functionality, however. Stay tuned… 🙂
We’re about to move our infrastructure into co-location and until I saw the EOL notice for TMG last year I’d planned to use an enterprise TMG array for all our RP/publishing requirements – our MS rep pushed UAG at us as an alternative despite the fact that even though specified as a requirement it doesn’t do malware/exploit scanning/blocking on the traffic it proxies. Very pleased i stumbled across this and now DA is part of 2012 it seems like a product without a proper niche. Such a shame as TMG did all this so well! many thanks Richard.
Agreed. UAG is an excellent alternative, and provides more protection even than Forefront TMG 2010 does in reverse proxy scenarios. You’re right though, it does not provide malware protection which was a highly requested feature for both TMG and UAG. Perhaps UAG v.Next will include it? Hope so!