By monitoring the TMG log while trying to make a call, I figured out what additional rules and network entities I needed:
An address range to PHONE.COM
A domain name set to SIP.PHONE.COM
A new protocol I named RTP Pope
A new protocol I named UDP 6060
Two new firewall rules (Phone Init and NTP)
The VOIP phones have been working over Microsoft TMG for about 3 months now without problems.