NAT clients are clients that have their default gateway set to the internal interface of the TMG server or connect to the Internet through a router that forwards the traffic to the TMG internal interface.

NAT clients cannot authenticate with TMG so their HTTP, HTTPS, or FTP traffic will only show up as unauthenticated connections (IP addresses) in TMG and GFI WebMonitor; this is good for client computers that do not have the proxy settings set, or have the Firewall Client installed like non-Windows machines or wireless devices.

Proxy Clients are client computers that have their browser proxy settings set to the proxy port on the internal interface or the TMG server; this causes HTTP, HTTPS, and FTP traffic to go through the TMG server's proxy port.

You can configure TMG to require authentication from the browser as follows:

1. In TMG Management, navigate to Configuration > Networks > Internal.
2. Right-click Properties.
3. Click the Web Proxy tab and then the Authentication button.
4. Require users to authenticate by selecting the integrated method. On the client browser, you can set the proxy settings by navigating to Tools > Internet Options > Connections > LAN Settings. Alternatively, you can set the proxy settings on the browser via group policy.

TMG Firewall Clients are client computers that have the ISA Firewall Client software installed on their machines; this can be automated through TMG Management.

The Firewall Client automatically provides authentication information TMG and the GFI WebMonitor's web filter.

All traffic is sent directly to the internal interface of TMG to a negotiated port. If the client computer is also a Proxy Client, the HTTP, HTTPS, and FTP traffic is sent directly to the configured proxy port on the TMG's internal interface (by default 8080).

Other traffic is sent via the Firewall Client connections.