In an explicit proxy deployment, policy based on destination URL works because HTTPS traffic from the client to the ProxySG appliance uses the HTTP CONNECT method. In a transparent proxy deployment, however, policy based on destination URL often does not work because the appliance is only aware of the destination IP. In this case, you must write a rule based on the server certificate to successfully disable authentication. This allows the appliance to see the server certificate during the SSL handshake.
<SSL-Intercept>
server.certificate.hostname.substring="example" ssl.forward_proxy(no)