To request certificates from Forefront TMG ports need to be opened to allow access from Forefront TMG to the Certificate Authority. This is a known situation and there is a blog post at ISA Server on how to accomplish this.
But if the CA is a Windows Server Core installation, it is a little more tricky to configure the CA to use a static port. It is not possible to remote manage the DCOM part of the CA using the MMC Component Services Add-in.
You can do this directly through the registry using regedit on the Server Core installation.
- Find the Application ID GUID of the Certificate Server Request component.
- Update the key to use a fixed port.
- Restart the Certificate Service.