Microsoft released November 2010 a great document: Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.
In most cases you wil use TMG als a firewall. Between the Internet and your internal Network.
Some weeks ago I did a Exchange 2010 migration en I don’t wanted a big bang scenario.
The First thing what is asked my self when design the new infrastructure.
Domain Joining Forefront TMG or Leaving in a Workgroup
In most organizations, the decision whether to domain join the server hosting Forefront TMG your production domain may be one of the most important parts of the deployment.
Forefront TMG deployments are more complex to discuss because Forefront TMG is considered a firewall and can protect the network edge. Domain joining Forefront TMG offers many advantages: it allows certificate based authentication to be used at Forefront TMG, using Kerberos Constrained Delegation to communicate to Exchange; it allows easy use of Active Directory groups and user objects in publishing rules to restrict access; and it provides other benefits. If your are not sure to domain join Forefront TMG, see Debunking the Myth that the ISA Firewall Should Not be a Domain Member.
I thinks that the best practice is to domain join TMG. Because is makes your live a lot easier.
First I created a Exchange 2010 group in the Active Directory.
Second you make the Exchange 2010 group available in TMG
Third you make four rules 2 for Exchange 2010 (OWA & ActiveSync) and 2 for your legacy server of servers (OWA & ActiveSync)
Fourth makes sure that the Exchange 2010 rules are above the legacy rules.
Fith: You change on the Exchange 2010 rules the all authenticated users to Exchange 2010. (After the migration you delete the legacy rules and change on the 2010 rules the Exchange 2010 back to all authenticated users).
Sixth: When you do a mailbox move you puth the user in de Exchange 2010 group.
Why you thing. When the user is in the Exchange 2010 group the PDA wil use the Exchange 2010 rule. When there user is not in the Exchange 2010 group the legacy rule will do the trick.
I migrated at this way about 300 users with random pda’s and tablets with no downtime at all