Sometimes it depends on the question you ask. Is the main goal is to "transparently" identify users? Or is it to "transparently" filter users?
Ultimatley, where you place the Web Gateway heavily depends on how you wish to deploy the Web Gateway. Once this is established you can decide how you want to authenticate the users.
Our best practices (https://community.mcafee.com/docs/DOC-4818) has guides about transparent vs direct deployments (https://community.mcafee.com/docs/DOC-4910), and also guides on what type of authentication you need based on the deployment method you chose (https://community.mcafee.com/docs/DOC-4384).
Based on the diagram above, it doesnt give much context on how traffic would pass through Web Gateway. It seems you are trying to setup a Transparent Bridge, but the Web Gateway isnt in the path from the users to the internet, which is why filtering is not occurring.
My goal is to transparently authenticate, and identify users, and apply quota to AD user groups. I guess my question is where do I place it on my network to effectively filter and restrict my web traffic. When I had it in-line like below and it was filtering, but I was told by support that it appeared to be exposed to the Internet and undesirable traffic was reaching my network. I will look over the info you suggested. Thanks.
It sounds like you had an open proxy situation. This would happen if you have traffic going to the internal network, from the internet (through the firewall), and it passes through the MWG (which is inline). To stop prevent an open proxy, you need to ensure that web traffic from the internet does not pass through the MWG.
In any case, I would advise trying WCCP or explicit proxy, these methods are the most common deployment methods, and can be used in tandem, where WCCP will pick up the traffic you cannot manage via GPO.
I'll be giving this a shot. I'll let you know how it works out. Thanks for your replies.