Users can connect externally and see the list of published applications. Attempt to launch them fails. It's possible to connect to target VDI/TS machines from Secure-IT server directly. Firewall is deactivated on Secure-IT server. Secure-IT log shows that while client is trying to establish a session "client unexpectedly disconnects".
ISA/ TMG server rules
The issue has been traced to ISA /TMG server forwarding rules.
Secure-IT traffic is not a clear HTTPS traffic. HTTPS is used on the first stage of connection when Secure Access server proxy 443 port to Web Access server. During the actual connection, Secure Access proxies RDP connection through 443 port (if it's configured that way). This kind of traffic is not marked as HTTPS and ISA server will drop such connection. In order to pass Secured RDP traffic through the ISA or TMG server, HTTPS rule should be replaced with TCP 443 rule.
All application scanning/deep inspection should be turned off as well for this rule to work.
Please consult Microsoft ISA /TMG server specialist for more detail on how to modify ISA / TMG server rules.