The issue is that only one device can use a specific ip address & port combination at a time. Since the SSG is using this port you cannot forward it to another device.
Since this is a protocol standard port for the l2tp connection you also can't just change and use a different port.
So in this situation you have to have a second ip address for the second device. If you have a second address in your ip allocation from your ISP you can use destination NAT to forward that address and port to your MS server.
If you only have one address, contact your ISP and ask about switching your account parameters to allocate a larger subnet.