Quick post and run but worth bearing in mind, if you’re doing FBA on TMG & are offloading SSL before the TMG box there’s a reasonable chance that you may not have any certificates installed on your TMG server.  If this is the case users will not be able to change their passwords & those with password must be changed at next login will not be able to log in. 

This is because the TMG server needs to be able to open an LDAPS connection to a DC to do the password change, the S in LDAPS stands for secure, no certificate = not secure.  Install certs, reboot & all is well in the world again.