With the Symantec Endpoint Protection (SEP) client installed, there is a problem authenticating with a proxy server. The proxy server is using NTLM authentication.
The "TCP resequencing" option is enabled in the SEP firewall policy.
When capturing the network traffic errors such as "TCP Previous segment lost", "TCP Dup ACK" or "TCP Retransmission" may be seen, following the first GET request to the proxy. The HTTP 407 "Proxy Authentication Required" packet is never sent.
The "Stealth Settings" inside the SEP firewall policy provides additional protection against issues such as OS fingerprinting, but can cause compatibility problems with certain 3rd party tools. The stealth settings should only be enabled across the network after compatibility has been verified.