Many Corporate environments have a security setup on the local network. One of the frequently used deployment scenarios includes Proxy Server on the way to the internet to control, or monitor, outbound traffic.
Traffic secured by Secure Access Cloud (SAC) has no essential reason to pass through SWGs or Proxy Servers, since the auditing is done by SAC itself. Consequently, passing this data through the organizational proxy will not gain additional security value but will increase the resource requirements on the proxy server itself.
Addition reason to avoid passing SAC traffic through a Proxy is certificate-based trust. In order to keep the communication secured the SWGs or Proxy Servers will have to be authenticated with their own certificate. This will prevent SAC to authenticate connectors placed behind the Proxy with its unique certificate to guarantee the connector identification.
Getting a more detailed look on a topology, it would be recommended to allow connectors direct outbound connection to SAC Front End URLs specified in this link by defining relevant Firewall rules.

Note: In some cases, the IP addresses of the SAC may change, hence its recommended to use URLs for the firewall rules.

However, due to the different constraints & considerations (such as inability to configure Firewall exclusions), some organization prefer to keep the Proxy Server for the whole organization's traffic.
The example in the picture below describes the scenario where one application (app1.tenant.com) secured by SAC & Firewall assumed to provide connectivity from Proxy Server only:

SAC fully supports this topology, by setting Proxy parameters as part for the Site Provisioning process.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)