Yes we replaced a TMG installation with a UTM for both Exchange and SharePoint. If the UTM doesn't do authentication (i.e, no auth profile), then everything is dependant on the configuration of IIS and SharePoint. For example, the web application you have deployed the application in and its authentication settings.
I configured the external access in a different web application which used HTTPS and a different FQDN. I enabled NTLM on that application. It is better to create this application because the internal and external hostnames are different for our SharePoint instance.
In our environment the user gets prompted for creds if they aren't logged in with a domain account, but if they are logged on with a domain account it passes the authentication through. You don't need to do anything to get NTLM passthrough to work, it just works as long as there is no authentication profile defined.
