ISA or TMG problems with RPC protocols and also Exchange

1. Turn off enforce strict RPC compliance, tunnel issue, etc
2. See: http://blogs.technet.com/isablog/archive/2007/05/16/rpc-filter-and-enable-strict-rpc-compliance.aspx 

Note sent to MS ISA team blog:

Guys, I think this might be a good article for your blog. I've read your existing information on RPC, etc, but I think I've come across some significant problems for any Microsoft infrastructure. Here is the scenario: I have two datacenters (A & B) and these are both connected to the internet. The FWs connecting these sites to the internet are TMG2010 on 2008 R2. These Firewalls are the default gateways and only routers for everything in each datacenter. I also use these TGM2010 servers to provide a site-to-site VPN tunnel (IPSEC PSK) between the datacenters (different privately addressed subnets). Everything works fine to/from the internet, including publishing of complex protocols.

Now here's the issue, almost everything works between the datacenters... I get numerous seemingly random errors on my servers (all 2008 R2) in both datacenters. These erros are associated with various windows and AD functions, and as near as I can tell are associated with the DCOM/RPC issues you've wrote about previously. That being said, this causes big problems for enterprise/computer certificate registration. The other big problem is Exchange 2010, this gets numerous errors trying to do everything for querying other hosts to setting up DAGs. It just doesn't work right.

The only way I've been able to resolve these issues is to completely disable all RPC checking of any sort on TMG. I've turned off strict filtering for the 3 associated protocol definitions, and I've also disable the RPC protocol filter itself.

This really lends itself to discussing the bigger problem at hand; why isn't there a way in TMG to open access between trusted networks? By open I mean no protocol filtering that seems to invisibly "break" Microsoft's own protocols... why doesn't TMG work out of the box to support Microsoft WAN implementations? This has to fit with a large portion of your customer base... issues like these were resolved 10 years ago in products like Checkpoint, I hope MS can get this resolved...