The fact that you decide to go for explicit or transparent proxy is not linked with implementation that will make use of proxy mandatory, at least for what I understand
I'm not sure to clearly understand your "schema" but it looks like:
- Zentyal is having only one interface
- Zentyal is de-facto
not network default gateway for devices attached to eth0/2Trust
- your key component is Juniper (acting as FW I believe)
With such design:
- transparent proxy just doesn't work, or at least no "out of the box"
- without specific rules at FW level, users can still go through Juniper and access internet
The best you can do (again assuming I understand properly) is to:
- at Juniper level, to redirect out-going flow from eth0/2Trust to eth0/1DMZ
- allow only connection from eth0/1DMZ to eth0Untrust
and... this doesn't work yet because, due to willingness (or constraint) to use transparent proxy, end-user must be able to resolve names, thus access to either internal DNS handling this or direct access to external DNS, thus some exception must be defined within above principle.
I hope this helps