Short answer: Yes. Long answer follows.
TMG can do the following:
- Perform stateful packet filtering
- Perform NAT/NAT Overloading of IPv4 traffic
- Filter and NAT a few problematic protocols via ALGs
- Function as an IPsec/PPTP/L2TP endpoint/VPN concentrator for site-to-site connections
- Be a PPTP, L2TP and/or SSTP VPN endpoint for clients
- Perform HTTP and FTP content filtering (antivirus/anti-malware)
- Be a caching proxy with HTTP URL filtering, including category filtering (for as long as Microsoft bothers to maintain the category lists; TMG is a discontinued product)
- Be part of a hierachy of proxy servers
- Act as a reverse proxy for internal web servers, including being an SSL/TLS endpoint
- Perform authentication of VPN clients and proxy users against a local user database, Active Directory or RADIUS
- Generate fake certificates on the fly in order to act as a man-in-the-middle for outgoing HTTPS connections, which means it can scan data transmitted via HTTPS (only works if you can convince the client computers that the TMG server is a trusted root Certificate Authority)
I think that's pretty much it. I've worked extensively with TMG for many years, and the product would have been kind of OK back in 2010, had it not been for the fact that compared to just about any other firewall on the market, it's horribly unstable.
Squid is a proxy server. It can act as a forward and/or reverse proxy, and it's slightly more flexible than the TMG proxy in many areas. It can be configured to authenticate clients against several types of services, including all those supported by TMG. Squid lacks the "content download job" function that TMG has, but that can easily be simulated by a script. It does not have a built-in URL category list, but there are third party add-ons for that.
In other words, Squid can do 7, 8, 9 and the proxy bit in 10. If you add one of the many filtering plugins that exist, you can get it to do 6 as well.
If you run Squid on Linux or BSD, the OS and its built-in firewall will take care of points 1-3. In fact, Linux is a vastly better firewall than TMG ever was, and has superior ALG support. Also, Linux and BSD has proper IPv6 support as well.
For IPsec, PPTP, L2TP or SSTP you'll need additional software, which is freely available. That takes care of 4, 5 and the remaining parts of 10.
As for point 11, I've never seen a Linux/BSD firewall do SSL certificate spoofing, but even that may be possible. Not that you'd want to do it, though, as it only works in centrally managed environments and may in fact be illegal in some states/countries (the proxy is actively impersonating HTTPS servers on the Internet).