Instead of levering a "legacy" on-site proxy, you could take a look at current SASE (Secure Access Service Edge) offerings like Umbrella.
The integration with Umbrella provides you with DNS security and cloud-based firewalling- / proxy-capabilities without having to backhaul traffic from other locations or even VPN clients. Therefore, it doesn't matter where your endpoints are located, be it sitting ion your HQ or at a nice beach somewhere in the world.