1- The UAC box operates in "off path" mode - traffic does not pass through it. You will use the internal interface only.

2- When you use UAC you may authenticate to the box using either: Junos Pulse agent, OAC agent, Java agent, or web browser (called "agentless".) Agent based logins don't require a login page. Though that may be how you do your initial agent push out.

3- AD is fine to use. If you wanted to complex role mapping using directory attributes you might want to set your AD box up as an LDAP server so that you can use it for both authentication and then use the LDAP attributes for your authorization.

Hope this information helps you.

in my case am not going to use agents , the requirements is to use agentless so is it still require authentication for the users to access protected servers , or would it matter if the client was joined to domain or workgroup or even a mobile ?

If you want to use firewall enforcer you will need to use the agentless (browser) - have the user authenticate to the UAC and it will push the user identity out to the ISG/SSG to create dynamic policies.