We came across an issue recently where we deployed a TMG Server into a new site and configured it to upstream all connections to an ISA 2006 box.
All worked perfectly until users went to browse HTTPS and they were unable to when pointing there proxies to the new TMG Server. However if they pointed it directly at the upstream box HTTPS worked perfectly.
After looking in the TMG and ISA logs all connections were getting allowed and no denies at all.
The issue was a bug in TMG and has now been resolved in TMG SP1 Update 1 RU2