Sorry, but this is incorrect. TMG is not SNI aware. By using a wildcard certificate on the listener, you are avoiding the issue/benefit of SNI. In your example, TMG ignores the SNI, sends the wildcard cert which matches the domain the user
is requesting, the tunnel comes up and the HTTP request is made, TMG finds out the host in the request and matches it against one of the public names in the list of TMG Firewall Rules, many of which can use the same listener as you indicated, and the request
is forwarded to the correct site or farm.
The genius of SNI would be that you don't even need a wildcard certificate. The benefit would be that one could have a listener object with a pool of certificates that are 'valid' for that listener and TMG would get the request host from SNI and supply
the single-subject-name certificate from the pool of valid certs that matched it. Obviously, TMG was not designed with this in mind, so it makes no use of SNI.
/-djs-/