Good old TMG..
Just a quick reference guide when the grey stuff gets fuzzy 🙂

  • The published site is the public external web FQDN
  • Use browse to find the internal Front End Pool, tests the DNS resolution that way
  • Check the box to forward the original host header
  • Set the radio button so that requests appear to come from TMG

Add the public names (of course these will match the public A records requested)
What you need is:-

  • meet and dialin (often times I’ll merge these two)
  • lyncdiscover for the 2013 and mobile clients
  • external web services (same as published site)

The TMG won’t be doing any pre-authentication, but client will need to authenticate directly to the Front End

Bridge the ports so that http traffic to port 80 goes to 8080 and https traffic to port 443 goes to 4443. If not using 80 you can ignore the http bridge.

On the listener ensure that the authentication is set to “No Authentication”
If you not using 80 then disable here

Even after publishing the firewall rule, check the Monitoring tab to make sure the configuration has been successfully synced