No PROXYAUTH with SFOS/XG ?

Yes, basic auth was never implemented in the firewall, as this was rarely a requirement in the first place. SFOS is moved beyond a proxy in terms of authentication and even kerberos/NTLM (which is the UTM SSO), is rarely used. Simply because it is build for Web traffic and the firewall can use authentication for everything. Therefore you need a web request before you are authenticated, which is a issue for most customers. They moved to other authentication methods. 

PS: If you talk about software, try to authenticate the client from a client perspective. 

Theoreticly you are right and maybe we are old school, but we have use the UTM for many situations in our network:
The Internal Office Network was Protected via Classic Direct Proxy (with Basic Auth). No direct Internet Access was allowed.
The Public Network was Protected only via URL Filter (and Routing).
The Network for Employes without Office Computer was Protected vis HTTPS Scanner (Transparent).

And I can tell you, with this restrict Policy, our Company has life very good over the last 10 years. Even if People has bring in a virus or something else, from the inside office Network the kind of Software was never able to reach the Internet. On the Other Side, most of Software, which now needs Internet was able to Authentificate via the Proxy. Or our LINUX Systems without X-Server. I Add a HTTP_PROXY Enviroment and WGET has Work.

Now you tell me, we have to change this Policy with a (In my humble opinion) more unsecure way (Because, I have to Authentificate the Client, not the Application).

I now, Sophos will protect us, but also form the real life, I can tell you, SOPHOS Needs 12 to 24 h to detect a VIRUS which reach us. 12 to 24 where Ramsonware can kill our Company.
It is a pity that there always have to replace well-functioning technologies because  they are no longer modern enough.

So I must show, how we can do this in the Future. It looks so, that the Feature, to bind a exception to the UA is also Missing (OK, this has not work often very well).

Most of those approaches are network segmentation questions. You should separate everything and create own VLANs, if not already done. Security by obscurity(https://en.wikipedia.org/wiki/Security_through_obscurity)  was a old approach but nowadays, malware checks for proxies and simply use the them, if they found them. Check the latest security reports, how smart those attackers are to simply use the techniques, which are there (called living on the land (LOL)). 

I know, the past days, you could simply build up a big firewall and your security job was done. But nowadays, they develope chained attacks, which can live on the network and combine this with people to attack companies. 

PS: Static analyze is also a old approach. Use zero day protection (Sandstorm) to detect attacks, which are not known today. 

Another issue is actual hacker attacks. They use different approaches (like exploits and other stuff). If you have a foot on a system, you can "simply" steal the creds. Proxies with basic auth have to save the creds somewhere to authenticate the application. Think about the approach: In SFOS, if you authenticate the client, the client is not exposed to the creds that much (only in Windows / system context). If you authenticate each and every application, you multiply the creds on the system per app, which needs the creds to authenticate. Therefore, if you give for example a app the creds to authenticate, this app has a zero day or known exploit (bug), a attack can easily gain the creds and use them for other stuff (privilege escalation). 

The approach should be from a security perspective. Protect all vectors: Endpoint, firewall, network itself. Segment everything, inspect the traffic. etc. In 2021, IT should start to use techniques to investigate proactive on there network. Because the problem is, most likely attacks use the tools given to them. Check the latest reports of attacks. They use techniques, which the admin offer to them. And something like Basic Auth could be such a tool to gain creds on the system, if you got there. 

Of course, there are some "ifs and buts": It is not that easy nowadays to protect yourself, because you have only one shot. If you are attacked, it could be already to late. 

You are right, storing of credential is on Point auf Security Fault. This is the reason why we have disable this feature on every point, where it was possible (and tell the users that they don't have to do this).

And yes, the next step is, that a bad software use a keylogger and get so the credentials. But this was only one point of the security. We have a little controll, which application want to go to the Internet. If a PROXY Auth Login Box pop of during installation of a software, we know: This software want to go to the internet.

Now, you say to me, we have to Identify the client and the rest will done by SOPHOS. That is ok, but you say it yourself: Thes guys are very smart. And some time, a old way of life is not the baddest. You must only compinied it with modern system. This is/was one of the reason we now switch to the XG. But that you have cancel one of the basic features (simple PROXY Only over PROXY AUTH for one Network segment, which is completly isolated from the other networks and only SOPHOS has connection to all networks) is very hard to understand for me. I know, PROXY ONLY is not smart. But it works because SOPHOS still provides security in the end.

Just for clarity: Keylogger are not the only issue. You can see, how easily you can dump stored creds (used creds) from applications. (For example see Mimikatz and other tools). Keylogger is actually are harder tool to get creds. 

PS: Malware uses morphing to simply hide in known applications. They pretend to be a browser and/or other allowed apps. 

Nowadays nearly every app wants to reach the internet (for license sync and other stuff). Not sure how to deal with this in a larger setup. 

The firewall uses a IP mapping approach. Which means, the client will be authenticated in context of the logged user, not the Individual software. This means, there is no reason to give a approach to authenticate per application in the first place. 

It is important to understand, the only way to fight back nowadays is to offer a complete security solution, not a proxy only and hoping this is enough. You have only one shot to fight back. If somebody breach your network, its literally to late to discuss this matter. 

What do you use on the endpoints? Because most of your issues and challenges are actually endpoint topics. 

I understand your approach and your argumentation. And I know that Our Way will not work in all Situation. But Isolation of the Network and let only Access to HTTP/HTTPS via Proxy to the Internet was a technique, which has work very well. Yes, maybe a Malware has get the Credentials but on the PROXY Server was still working a security application. And I can tell you that  users react sensitively when the login window suddenly pops up.
And I dont understand, why in DirectProxy Mode (and only there) SOPHOS has not implementet PROXYAUTH. If a customer used it is something different but at the moment we MUST implement a completly new way, how Apps with the abilty of PROXYAUTH but NO user interaction will come to the internet in the future.

With the Endpoint Software, I have still the same problems as with the UTM/XG. They is maybe to late. Yes with Sandstrom (now Zero Day Protection) has SOPHOS a technique, wich will hoply detect danger much faster the the classic scan way. For me, the best way is to use more then on technique from more then one manufactor. And Seperate the Network with DirectProxy (and ProxyAuth) was one Peace of the whole security concept. Not the smartest, but it has work for years.

I think, we can still stop the discussion here, because the original question was answered. No PROXY AUTH in DirectProxy Mode. So we have to see how we will solve this new situation. Thank you for your quick reply and patience in responding to my statements.