So you wanne have Exchange Hybrid with either ISA, TMG or UAG.
Maybe because you allready have OnPrem Exchange with pre-authentication in your ISA/TMG/UAG.
Well, the easy answer is: It will not work!
Because some services required in Hybrid doesn’t work with pre-authentication.
Can you fix it? Yes!
You need to make an optional DNS Name and make a rule with pass-trough setting.
This is recommended for these services:
Exchange Web Services (connecting to mrsproxy,etc)
Autodiscover (redirect users to Exchange Online OWA)
Or just bypass the ISA/TMG/UAG Server and forward all connections to your Hybrid Exchange Server.