I found my answer. In short, it is not a supported configuration on ISA/TMG. Because the traffic is coming from a network, which the remote ISA/TMG server is not directly attached to, it drops it it as spoofed. So the only way to route from a network attached to one ISA/TMG to another a network attached to a different ISA/TMG server, (even though a simi-trusted perimeter network, using private IP spaces), is to treat the remote network as External by not defining it in ISA/TMG's networks.
The following is an excerpt from Microsoft TechNet, outlining rules for configuring Networks:
(
http://technet.microsoft.com/en-us/library/cc995185.aspx)
"Each network you create must have a dedicated network adapter associated with it. For example, to create a topology that includes the internal corporate network, the Internet, and a perimeter network, three network adapters must be installed and enabled on the Forefront TMG computer. There are some exceptions. In a back-to-back firewall configuration, where the Internet is behind a perimeter network, there is no adapter associated with the external network. In addition, a VPN site-to-site network object does not have an adapter associated with it.
All IP addresses that can be reached directly from a network adapter must be defined as part of the Forefront TMG network that is associated with the adapter. All remote subnets must be added correctly to the network definition, and the IP address range of the network must match the routing table. Routes should be defined in the routing table for each remote subnet."
"A packet is considered spoofed (and therefore dropped) if one of the following is true:
The packet contains a source IP address that (according to the routing table) is not reachable through a network adapter associated with the network.
The packet contains a source IP address that does not belong to the address range of a network associated with the adapter."
I'm not at all thrilled, but it looks like that's my answer.
