Q: Can an Operations Manager gateway server help monitor a large number of machines in workgroups?
A: Kerberos is used between Operations Manager management servers and the agent running on monitored machines, which allows for mutual authentication but requires the management server and the client machines to be in the same Active Directory forest or have a trust between the hosting domains. If Kerberos isn't available, certificates must be used on the management server(s) and the agents that are from the same certificate authority chain (typically the same CA). Using certificates can lead to additional maintenance, which is where the Operations Manager gateway server comes in.
The gateway server is installed on the same untrusted domain as the agents being monitored, allowing Kerberos authentication between the gateway server and the agents in the domain untrusted by the management server. Certificate authentication is then used between the management server and the gateway server, which reduces the number of certificates required. The gateway server can also be useful if you need to be very specific about which servers can communicate via a firewall, because all communication goes through the gateway server.
In a workgroup scenario, a gateway server doesn't help because there is no concept of Kerberos within a workgroup. Certificates are still required on every workgroup machine, and a gateway server wouldn't help.