Try running this on TMG; requires a restart.
netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent
set the value to 1 to reverse.
I am not 100% sure of the details behind the command, however do know it resolved an unrelated VPN/L2TP issue behind TMG.