So you have configured an access rule in Forefront TMG to only allow authenticated traffic, yet you still have the ‘Anonymous’ user showing in your log files and in the Fastvue for TMG dashboard.
This seems quite counter-intuitive but the answer lies in how Forefront TMG authenticates a client and how this process is logged.
Each time a web proxy client requests a resource through a Forefront TMG firewall, that the client may be denied up to two times (depending on the authentication method being used) before being successfully authenticated and allowed access.
These authentication challenges are logged in the TMG firewall and web proxy log files, with the username ‘Anonymous’ and with the result code 12209 (The Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied) or 407 (Proxy Authentication Required).
As Richard Hicks explains in his blog article Access to the Web Proxy Filter on Forefront TMG 2010 is Denied, there may be thousands of these types of log entries in any given log file.
These records are currently being imported by Fastvue for TMG which is why you may see the Anonymous user at the top of your Top Users list. You may also see a large percentage of denied requests due to this behavior.
We plan to automatically exclude this traffic from being imported so that the denied anonymous records do not clutter the results in the Dashboard or your configured alerts.