We have MWG set up in transparent proxy mode and have configured a captive portal (based on the built in template for IP auth) to authenticate users, but have a couple of issues.
First of all - SSL pages do not redirect to the logon page, the client gets an SSL error. If the user is already logged in, the pages work fine. It appears that the SSL tunnel can't be intercepted properly to inject the HTTP 302 to redirect to the logon page. I looked into the possibility of enabling the SSL Scanner, but from what I can gather I need to use a certificate on the MWG boxes which is always trusted by the end users. However this is for a guest network, and we don't have any managment over the end user devices, so we can not install the certificate on them. Is this a problem we are just going to have to live with? It still works, it's just inconvenient.
To make this process as painless as possible, we would like to resolve either one of these problems - we don't need both, just one, however I wouldn't mind working out both if possible.
Any advice is welcome. I can provide the rule-set we are using if you like, but as I said it's basically the built in template with a few tweaks to the login page format and set to authenticate against AD
Based on a comment on this page by Andre Sabban @ McAfee, my thoughts on SSL issues are right:
I can't redirect an SSL request to another page without the SSL scanner operational, and I don't want to do that in this scenario because I can't control the end device certificate store.
I hope these comments help others trying to implement anything similar.