I would like to know, if TMG behind NAT-Device supports S2S IPsec Tunnels and what I would have to configure at TMG additionally.
Thanks in advance
It depends on what type of Firewall/NAT-device you have in front of the TMG, in most cases this is possible.
You need to open and redirect traffic on several ports: UDP 500, 4500, and IP protocol 50.
There is a good article on how to troubleshoot VPN with ISA, which is also true with TMG. See the title "An IPsec tunnel cannot be established through a NAT device or router" on this link:
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.
Would you like to participate?