This is still a big problem. Microsoft needs to fix this. Microsoft Forefront TMG Managed Control can't start because there are IP addresses in the Exchange IP Block List. Here is a workaround:
1. Open Exchange Management Shell
2. Type "get-ipblocklistentry | remove-ipblocklistentry" to remove all address from the IP Block List (don't worry Exchange will put them back soon enough).
3. Start Microsoft Forefront TMG Control service
Exchange will continue to add IP addresses to the block list and Forefront will still fight it and log an error, but at least your firewall will start. Of course the next time you make a policy change and try to apply it, most likely the TMG Managed Control Service won't start and you'll have to use the workaround above.
It's like Microsoft never tested this product. Sad.