My position is that given the tools Zentyal provides (or, rather, does not provide) and the varied nature of device operating systems, user/machine authentication (it is
both, after all, since any recent device that is powered up legitimately can, and will, attempt Internet access even if no user has touched it in days) is in fact complex. It is this combination of attended and unattended authentication that helps to make things complex.
I have never said (or never should have said) that user-machine authentication is too complex. But when something is practical
only by hand modification of a Zentyal server, then we have yet to make it as simple as possible in the Zentyal tradition--a limitation of Zentyal to the extent that Zentyal can mitigate the complexity. It's not a criticism, just a fact.
That said (again, and again, and again), knstvk has begun the request for help with a transparent proxy. Unless we assume knstvk has made an uniformed choice, there is no need to rehash the problems of both kinds of access control. We risk getting ahead of the user if we do. IMHO, of course.