Hi,
As long as you configure SBG with the IP addresses of the upstream MTA (i.e the MTA that is actually at the gateway), it will still take action based on sender IP reputation.
Obviously, because the message will have already been accepted by the upstream MTA we cannot do connection level blocking but we can catch it at content time.
You will lose the ability to use Connection Classification and Fastpass, because they are connection time features.
The biggest loss however is reputation based AS (connection time rejection of the inbound TCP connection), which translates to CPU overhead as the content scan takes place in memory rather than rejecting the connection at SMTP time.
How big that overhead is really depends on how many messages per second you receive to SBG and how many of them are spam versus legit.
Could you let us know WHY you have to have an upstream MTA before traffic hits SBG? It might be possible to achieve your requirements with Brightmail Gateway alone.
Thanks,
//ian