I'm a newbie and please excuse me if my question is so foolish 🙂
Here is the scenario:
In our company we have 50 PCs: 40 PCs have joined to the domain and 10 PCs haven't joined to the domain (simply just a work-group) and we never want to join them to the domain.
Now we want to limit the internet access and bandwidth for whole 50 PCs. We can simply do that for the 40 PCs (which are joined to the domain) using Microsoft Forefront TMG and Bandwidth Splitter extension but how about the 10 PCs (which are not part of any domain)?
Can Microsoft Forefront TMG handle users that are not part of a domain?
If not what is the solution?
Do I have to use applications like CCProxy?
Any suggestion appreciated, thanks.
Best Answer
There's nothing to stop your workgroup machines using TMG as their proxy, but you won't be able to authenticate the users using Integrated Authentication in IE or the TMG client.
If you configure the machines as proxy clients (i.e. by configuring the proxy address in the browser) and there are no rules that allow anonymous connections then your workgroup users will receive a logon prompt from their browser - and they will need a domain account. This is likely to irritate users and if you're going to have to give each user a domain account then you might as well join the machines to the domain.
If you want the workgroup machines to all have the same set of restrictions (perhaps a different set of restrictions from your domain joined machines) then you could ensure that they all have IP addresses in a specific range and then restrict traffic based on that range. You would need to allow the connections to be anonymous though.