In TMG there are three client types
Any client machine connecting through TMG can be one or more of these client types: NAT Client, Firewall Client, and Proxy Client. Authentication can be accomplished by the Firewall Client and the Proxy Client but these normally override the NAT client settings.
NAT clients are clients that have their default gateway set to the internal interface of the TMG Server OR connect to the internet through a router that forwards the traffic to the TMG internal interface. NAT clients can't authenticate with TMG so their HTTP, HTTPS, or FTP traffic will only show up as unauthenticated connections (IP Addresses) in TMG and GFI Webmonitor. This is good for client computers that do not have the proxy settings set or have the Firewall Client installed like non-Windows machines or wireless devices.
Proxy Clients are client computers that have their browser proxy settings set to the proxy port on the internal interface or the TMG server. This causes HTTP, HTTPS, and FTP traffic to go through TMG Server's proxy port. You can configure TMG to require authentication from the browser as follows: In TMG Management go to Configuration > Networks > Internal. Right-click properties, click the Web Proxy tab and then the Authentication button. Require users to authenticate by selecting the integrated method. On the client browser you can set the proxy settings by going to Tools > Internet Options > Connections > LAN Settings. Alternatively, you can set the proxy settings on the browser via group policy.
TMG Firewall Clients
TMG Firewall Clients are client computers that have the ISA Firewall Client software installed on their machines. This can be automated through TMG Management. The Firewall Client automatically provides authentication information TMG and the GFI Webmonitor Webfilter. All traffic is sent directly to the internal interface of TMG to a negotiated port. If the client computer is also a Proxy Client the HTTP, HTTPS, and FTP traffic are sent directly to the configured proxy port on the TMG internal interface, by default 8080. Other traffic is sent via the Firewall Client connections.
There is a performance increase in TMG when your client computers are set as proxy clients because they connect directly to the TMG proxy port. For NAT / Firewall clients, TMG has to forward the HTTP, HTTPS, and FTP requests internally to the proxy server in TMG and this requires more resources and time.