ProxySG performs Kerberos callouts even when Kerberos is not enabled in the authentication realm.
Article ID: 168594
ProxySG Software - SGOS
You have observed the ProxySG reaching out on port 88 (possibly other ports depending on the configuration of the KDC) even though you do not use Kerberos for Client authentication.
Is this a potential problem and can be safely stopped?
The ProxySG appliance uses Kerberos to communicate to the DC for Schannel to pass NTLM credentials.
In effect, the ProxySG communicates to the domain using Kerberos even though Kerberos is not the client authentication method.
Disabling the Kerberos checkbox in the authentication realm simply stops 'negotiate' from being listed in the 407 from the proxy, and does not change the ProxySG's communication to the AD.
Stopping this traffic is not recommended as it would almost certainly disrupt authentication.
Do not block or restrict the Kerberos communication from the Proxy to the AD