Forefront TMG
ISA Server
Vyatta OFR

Application Control with Forefront TMG 2010 - Block Ultrasurf

According to its web site, Ultrasurf is a a free proxy-based tool for internet privacy and security that allows you to bypass firewalls and protect your identity online.
Without denying its usefulness(example bypass China's firewall), using it at work by employees to access restricted sites might not be desired.

There are a couple of ways to block Ultrasurf, assuming you are not using the URL filtering solution of TMG.
You need to use a restrictive firewall policy for Internet access for your users, meaning allowing only HTTP and HTTPS for them(perhaps FTP too, or what else is strictly needed).
Using an allow all policy for them, even if you start blocking one by one the known proxy-based bypassing solutions you will still end up with users bypassing your restrictions.

First method, although this application can be configured to use a proxy, as writing, does not support proxy authentication.
So if possible in case you have only web proxy clients, turn on proxy authentication on TMG for your rules allowing HTTP and HTTPS.
As a result Surfcontrol will not be able to provide credentials when TMG will require proxy authentication.

As a second method, turn on the outbound HTTPS inspection feature of TMG.
Ultrasurf attempts to escape over TCP port 443, however does not use true SSL/TLS, thus TMG will not be able to establish a SSL/TLS connection with Ultrasurf servers.