Just on another note we 'have' to use the forwarding model as we use a security product on the network that would require us to add every possible PXE 'server' into a configuration for pre-authentication.
Basically we would need to add every PC into the pre-auth config which would be a nightmare and defeat the purpose of the security product.