When the browser initiates an HTTP connection using the "Upgrade-Insecure-Requests" header and is then redirected by the Proxy to authentication to the Proxy virtual URL on port 80, but the client is connecting on port 443 because of the "Upgrade-Insecure-Requests" header, which can cause an issue if the Proxy is not configured for this.
Looking at a PCAP, it can show that the Proxy redirects to port 80, but the browser then connects on 443 to the redirect URL. This is not good because the proxy is redirecting to port 80, not 443. Further, the proxy is configured for SSL auth, but not on port 443, but rather 8433. Needless to say, the authentication request fails.
Using an HTTPs reverse proxy listener that redirects to the Virtual URL on 443 or 8443.
The browser will then accept the redirect to an SSL connection, and the Proxy will be configured to intercept and authenticate this request which should fix the problem.