The primary goal of TFS Proxy is to cache Version Control files and reduce the network traffic. For e.g. if we have 2 offices one in US and another in Europe and the main TFS server is in US. We do not want every TFS user in Europe to download every VC file from US. So we can have a TFS proxy in Europe office and then TFS Proxy will help cache the files transferred between US and Europe hence improving performance. But all the authentication is still handled by the main TFS Server in this case the one in US. TFS Proxy does not authenticate users. It does check the validity of the user to allow him/her to access cached files, but the actual authentication is performed by TFS Server.
Here is a extract from MSDN help on how TFS Proxy validates the users.
Team Foundation Server Proxy uses a pre-authenticated ticket scheme for determining whether a requesting user is authorized to view the content of the requested file. In this scheme, the user’s client contacts the master source control server and if the user is authorized, the client is provided a digitally signed ticket that contains the details of the file being requested. The client then presents the ticket to the proxy server. This use of public/private key signatures allows the proxy to be certain that the ticket came from the server and that the user is therefore authorized to view the file. The proxy then looks into the cache to see whether it can service the request, and if not, requests the file from the server and adds it to the cache.
Link to MSDN Document: Team Foundation Server Proxy