Correct. We have customers that lease these systems from us. Sort of a "cloud", but not quite. They don't have administative rights. We have multicast services that the customer can pay for and subscribe to. However, if they haven't paid, then their IGMP joins should be blocked by rules on the host. Ideally we would be able to filter IGMP membership reports upstream at a L2 switch, but, because of our unique (and currently deficient) design, we are forced to do the filtering at the host level. Hopefully this is short term. In the meantime, I have to find a Windows solution. iptables does the job for our Linux offerings and works without issue. Our Windows offering is Windows 2008 R2, which comes with this firewall. I figured it would just work, and it does, except for IGMP outbound traffic, for some reason.
Thanks for your response.