Proved your users with a VPN that can be accessed through SSL only. Simple.
In UAG there are two methods to do this. One is by using the legacy network connector. The other is to use a SSTP (Secure Sockets Tunnelling Protocol) VPN.
Since my primary client base is Windows 7 and Windows Vista I am going to use the SSTP option.
This link has a step my step.
another more user friendly article is this one
Once this is done you will also be able to set up your own VPN network connection to connect directly to the server. This is handy except all the nice machine checking and portal access and stuff does not happen. You need to also follow this article to close things up again:
Configuring Forefront TMG to block users over SSTPhttp://technet.microsoft.com/en-us/library/ff607396.aspx
Okay so now you have followed the articles but it is still not working. What gives?
I statically assign a pool of ip addressed for my VPN clients. The pool is in the 172. range and not the 10. that the rest of my lab is in. So I need to change my network relationship in TMG from route to NAT.
If you still have no luck let me know.