I was building a TMG 2010 architecture for one of my customers and during this period I consolidated some of the limitations and considerations in specific scenarios. This article is a one place summary for them:
Single network adapter functionality:
The single network adapter topology enables limited Forefront TMG functionality, that includes:
Limitations of a single network adapter topology:
The following limitations apply when you use the single network adapter topology:
The following considerations must be taken into account when deploying solution components into a workgroup environment:
Remote management through a firewall":
If you are connecting to Forefront TMG through a firewall for remote management, or as a Forefront TMG protected client, note the following:
The ports required at the intervening firewall are described in the article Service overview and network port requirements for the Windows Server system (http://go.microsoft.com/fwlink/?LinkId=156514)
You should consider the following authentication issues when selecting a domain or workgroup deployment:
Enterprise Management Servers:
You actually CAN reverse-engineer running policy into the EMS-format policy.
Current array configuration can be exported from array node's registry to XML using script with root.ConnectToLocalStorage. Then this XML file after some modifications can be successfully imported to CSS.
I tested this method after the only TMG EMS server was lost and no configuration backup was available.
I described it in details here ant-sh.blogspot.com/.../retrieve-current-TMG-configuration-from-array-node-registry.html