As I know MWG doesn't have a soft lock mechanism , so we want to use TMG server as a reverse proxy(or authentication gateway) , our users can access internal MWG systems when they are outside the company.
They will first interact with the TMG and authneticate (TMG has soft lock mechanism in here which we want for security) , then TMG redirects/fwd.proxy traffic to the internal MWG and MWG do all the url/content filtering
Is there any best practice about this scenario?
I doubt there is - just make sure that the TMG forwards the credentials so MWG sees them. You might want to use the TMG plugin we provide to improve what TMG can offer - worth a test.