Hi Rejeesh,
What type of switch does the TMG server connect to? You may have flow options available on this. Logging web activity events on the TMG server may be another option but my limited research shows that this is problematic in DHCP enviroments. More at this link.
If you don't have flow options on your swicth then you could use a SPAN or mirror port. All managed switches contain features which allow you to take a copy of traffic going in\out one or more ports and then send it to a SPAN or monitor port. Once you have your SPAN port configured you can connect it to a system running nprobe which will convert it to flow traffic. The only thing to watch with this configuration is that while you will be able to see client systems connecting to the proxy in NTA you wont be able to drilldown to see what websites they are accessing. Also watch out for activity associated with content delivery networks (CDN) as NetFlow tools can struggle to understand this traffic.There is an excellent post at this link which explains more.
The only other option would be to deploy a deep packet inspection system and connect it to the SPAN port which I mentioned above. These systems do deep traffic analysis so that you can get proper web reporting with usernames. It won't matter what sort of client they are using or what websites they visit, it will be all logged. We develop one such system called LANGuardian which integrates with SolarWinds NPM so that you can use your existing views to find out what users are doing on the Internet. The video below shows some of this in action.
Hope this helps,
Darragh