Hi,
yes, it takes two machines, one TMG without "mailprotection" (just TMG, no exchange edge and no forefront) and another with exchange edge and forefront protection, just the same configuration as with ISA-server.
At the first look for small environments it seemed to be a good idea to consolidate "exchange edge" and "forefront for exchange" to TMG to one machine, but I depend on smtp-logs to controll anti-spam behaviour of TMG and so really I cannot use it.
Best regards
hkillerm