When you create policy rules, you apply a rule to a specific set of users, known as a user set. A user set includes the list of users and the corresponding authentication scheme.

A user set can include all users in a specified namespace, or a subset of users. In addition, a user set can include users from different authentication schemes. For example, a user set might include a user using the Windows® operating system, a user from a RADIUS namespace, and another user from the SecurID namespace.

Microsoft Forefront Threat Management Gateway comes preconfigured with the following user sets:

  • All Authenticated Users. Predefined user set representing all authenticated users. A rule defined using this set applies to authenticated users. (Note that SecureNAT clients are not authenticated, unless they are also VPN clients. In this case, credentials of a VPN are used for authorization.)
  • All Users. Predefined user set representing all users. A rule defined using this set applies to all users, both authenticated and unauthenticated.
  • System and Network Service. Predefined user set representing the Local System service and the Network service on the Forefront TMG computer. This user set is used in some system policy rules.
  • The user set selected for a Web publishing rule must match the authentication scheme specified in the Web listener rule properties. For example, if your Web publishing rule specifies RADIUS authentication, you must select a user set for users in the RADIUS namespace.