Having just ran around the world on this, it would appear that even with TMG SP1, Server 2008R2 does not allow TMG to do simple PPTP VPN. I foolishly thought I would insert the VPN service into my lab as a quick test. All my web publishing rules continued to work flawlessly; Lync Web Components; NAT for my Lync, Exchange 2010 publishing – everything worked except VPN.
If you are intensely interested, the VPN connection would be made, but no traffic was allowed to flow. Don’t know why, and at this point I don’t much care.
I fixed it by building a new server on 2008 SP2. If you are doing a project that includes TMG and want to have the same TMG provide VPN, you should most likely think about it and lab it before you continue.
Hopefully, someone can point out the errors of my ways and show me what I did wrong. YMMV.