Allowing outgoing FTP behind Forefront TMG
One of the issues I faced this week at one of my customers, was the configuration to allow outgoing FTP behind a Forefront TMG proxy.
Owkay, this one’s easy I thought… not so !!
At first, I started with the “well-known” parameters to configure, as it was the case for ISA 2006
a) create an Access Rule to allow FTP from internal to external, all users
b) right-click this rule, “configure FTP” and de-select “read only”
c) Go to the System topic in the left, Application Filters, FTP application filter, select “allow active FTP”
however, with these settings alone, it did still not work; not from browser, FTP client (eg Filezilla) or command prompt.
Finally, Microsoft support forum guided me in the right direction : To allow this “complicated bi-directional traffic passing through the TMG firewall layer”, you should install the Forefront TMG Client, which can be downloaded from here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=53010a09-3c5c-4d5d-9ae1-692e7447c5bd
Next / Next / Finish + reboot PC (not required, though recommended by MS)
enter in the TMG server in the settings tab (I will post a new article on how to make the “automatically detect” work, restart the FTP client and see it all working 
/Peter