If your ProxySG appliance has authentication realms that accept basic credentials, you need to ensure those credentials are encrypted on the wire. They should only be presented on an SSL connection to protect against eavesdropping.
For transparent clients, the answer is simple: configure a virtual URL for your realm(s) that uses an HTTPS virtual URL, and ensure that authentication always uses an origin-*-redirect or form-*-redirect authentication mode.
For explicit clients, the above solution will work only for HTTP URLs – it will not work for HTTPS URLs. When browsers load an HTTPS URL, they start by sending an HTTP CONNECT message to the ProxySG. The CONNECT message notifies the ProxySG that the client is about to set up an encrypted tunnel with the OCS.
Browsers will not honor an HTTP redirect that is sent in response to a CONNECT message. The only responses they will honor are an HTTP 200, meaning that it is okay to set up the tunnel, or an HTTP 407 authentication challenge. The 407 response should be avoided when basic credentials are in use, because the browser will respond with credentials before the tunnel has been set up. The credentials would therefore cross the wire in the clear.
One solution to that problem is to allow the CONNECT, intercept SSL, and then perform authentication in the encrypted tunnel. The policy below will do that: