We have a pretty standard set-up.
Forefront TMG in the DMZ with our Sharepoint 2010 farm in our internal VLAN.
What we call "sharepoint portal" access is handled through a custom form in TMG.
Since we are sunsetting TMG, we can provide claims-based authentication via ADFS2.0 to our Sharepoint, but do not want to expose our Sharepoint 2010 to the outside.
What is a reasonable/cost-effective solution for providing secure pass-through?