This issue happens when you don't have a valid SSL License. Without an SSL License, the ProxySG appliance will try to tunnel the traffic, but will fail to pass the connection. A sample transaction is given below, where no SSL License is available on the ProxySG.
start transaction -------------------
CPL Evaluation Trace: transaction ID=617330057
<Proxy>
MATCH: ALLOW url.domain="123.testdomain.com"
<Forward>
MATCH: server_url.domain=//123.testdomain.com/ forward("123_testdomain") forward.fail_open(no)
<Proxy>
MATCH: client.address=10.1.1.1 trace.request(yes) trace.rules(all) trace.destination(AccessTest.html)
connection: service.name=Explicit HTTP client.address=10.1.1.1 proxy.port=8080
time: 2013-09-20 07:00:00 UTC
CONNECT tcp://123.testdomain.com:443/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
user: unauthenticated
url.category: none@Blue Coat
application.name: none
application.operation: none
DSCP client outbound: 65
DSCP server outbound: 65stop transaction --------------------
The example policy trace shows that the forwarding rule gets hit, but it will not work without an SSL License.
Note: This only needs the presence of a valid SSL License. SSL interception is not a must.