About user mapping
User mapping is used to map virtual private network (VPN) clients connecting to Microsoft Forefront Threat Management Gateway. As a result, firewall policy access rules specifying user sets for Windows users and groups are also applied to authenticated users that do not use Windows. If you do not define user mapping for users from namespaces that are not based on Windows, default firewall policy access rules will not be applied to them.
If the Remote Authentication Dial-In User Service (RADIUS) server and Forefront TMG are in untrusted domains (or if one is in a workgroup), user mapping is supported only for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods. Do not use user mapping if any other authentication method is configured.
If you do not enable user mapping for users who do not use Windows, you must create a user set for these users so that firewall policy rules can be applied to them. Regardless of the authentication method (RADIUS or EAP), the user set must be defined for the RADIUS namespace.
For instructions, see Enabling remote client access over a VPN connection.
User mapping to domain accounts is not supported when Forefront TMG is installed in a workgroup.
When Forefront TMG does not belong to a domain (it belongs to a workgroup), the user mapping feature can be used only with the PAP and SPAP authentication methods. Note that these authentication methods are less secure.
The user mapping feature is required only when you create a group-based firewall policy. To build a user-based policy, you can define user sets with RADIUS namespaces.