Forefront Threat Management Gateway (TMG) product line is using Microsoft Reputation Services (MRS) Servers to obtain Malware lists, URL lists etc. If you are using additional firewall/s, you may need to allow passing HTTP/S traffic from the TMG/UAG server to this servers. To find the current IP’s of the Microsoft Reputation Services (MRS) Servers you can use the command:
“for %i in (ds ts) do nslookup 10.%i.mrs.microsoft.com “
Note: By default, the “System Policy” of the local TMG/UAG would allow HTTP/S traffic to pass through after you enabling Malware /URL Protection.
Source: URL filtering troubleshooting flow