Users in your site have installed CyberGhost VPN, a plugin for Google Chrome, allowing them to access websites that are prohibited by your site's policy/regulations.

VPN CyberGhost VPN tries to connect via 5443 on the following servers (there might be more than the ones listed): 

USA server: 38.95.109.53 
Germany server: 185.93.180.67 
Netherlands server: 77.243.189.212 

A scan via https://pentest-tools.com/discovery-probing/tcp-port-scanner-online-nmap# on the USA server IP address has the following result. Note the entry on port 5443.

PORT STATE SERVICE 
20/tcp open ftp-data 
53/tcp open domain 
80/tcp open http 
443/tcp open https 
1723/tcp open pptp 
3128/tcp open squid-http 
3306/tcp open mysql 
3389/tcp open ms-wbt-server 
5443/tcp open unknown                                 
8080/tcp open http-proxy 
8081/tcp open blackice-icecap 
8443/tcp open https-alt 
9082/tcp open unknown 
9091/tcp open xmltec-xmlmail 

For the ProxySG appliance to block traffic connecting through CyberGhost VPN, you must intercept port 5443 as SSL. If this doesn't work in your environment, determine what other port and IP address CyberGhost VPN is using and act accordingly. 

The best approach is to make use of firewall logs to determine what ports the clients using CyberGhost VPN are using to connect.