Specific changes required to SGOS to work in transparent deployments.
1. Virtual URL used under SG's realm has to be used with short name (not FQDN host name). Client machine does not trust or consider to be the host (SG's virtual URL) on internet zone when virtual URL is used in xxx.xxx.xxx format . Hence it will not perform any auth with ProxySG. It will just present a pop up. Keeping the short name as virtual url is recommended by Broadcom as well.
Ref KB https://knowledge.broadcom.com/external/article?legacyId=TECH243241
2. For transparent deployment only no SPN account is needed. If each ProxySG is joined the domain using a host name where the same host name is used under virtual URL , this will be enough for Kerberos authentication setup. (Even if in a load balancing scenario with multiple SGs where all are used in WCCP transparent mode, it still does not require any SPN setup).