I do not see an option to allow logins through secure LDAP port 636 for ESXi hosts.  Is there a way to make sure an AD login directly to the host does not have credentials sent in clear text over 389?

Does the authentication proxy perform secure logins or is it just used to join the host to AD?  I am using ESXI 6.0 U1 btw

Our security group for obvious reasons requires authentication be secure and also require AD login instead of local accounts.