Tenho certeza de que isso tem a ver com a maneira como o TMG foi desenvolvido. De acordo com:
Bypassing Forefront TMG for firewall client requests
Microsoft Forefront Threat Management Gateway is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used.
Direct access enables Firewall client computers to do the following: Bypass the Microsoft Firewall Client configuration and connect directly to resources. Make Web proxy requests that bypass the Web proxy filter.
This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.
Isso também cobre limitações significativas do TMG em uma 'configuração de adaptador único' que é semelhante a como o B se conectaria ao servidor da Web: