This article explains how GFI WebMonitor is authenticated in Microsoft's Threat Management Gateway (TMG) server.
In TMG, there are three client-types. Any client machine connecting through TMG can be one or more of these client-types:
- NAT Client
- Firewall Client
- Proxy Client
Authentication can be accomplished by the Firewall Client and the Proxy Client, but these, typically, override the client's Network Address Translation (NAT) settings. The below table further describes the above client-types:
NAT clients are clients that have their default gateway set to the internal interface of the TMG server or connect to the Internet through a router that forwards the traffic to the TMG internal interface.
NAT clients cannot authenticate with TMG so their HTTP, HTTPS, or FTP traffic will only show up as unauthenticated connections (IP addresses) in TMG and GFI WebMonitor; this is good for client computers that do not have the proxy settings set, or have the Firewall Client installed like non-Windows machines or wireless devices.
Proxy Clients are client computers that have their browser proxy settings set to the proxy port on the internal interface or the TMG server; this causes HTTP, HTTPS, and FTP traffic to go through the TMG server's proxy port.
You can configure TMG to require authentication from the browser as follows:
TMG Firewall Clients
TMG Firewall Clients are client computers that have the ISA Firewall Client software installed on their machines; this can be automated through TMG Management.
The Firewall Client automatically provides authentication information TMG and the GFI WebMonitor's web filter.
All traffic is sent directly to the internal interface of TMG to a negotiated port. If the client computer is also a Proxy Client, the HTTP, HTTPS, and FTP traffic is sent directly to the configured proxy port on the TMG's internal interface (by default 8080).
Other traffic is sent via the Firewall Client connections.
There is a performance increase in TMG when your client computers are set as Proxy Clients because they connect directly to the TMG proxy port. For Firewall and NAT Clients, TMG has to forward the HTTP, HTTPS, and FTP requests internally to the proxy server in TMG, which requires more resources and time.