We do not have an internal CA. I set a rule into to place to block *.talk.google.com and receive certificate errors when navigating to it (talk.google.com). Under Settings --> Engines --> SSL Client Context with CA --> Default CA, it is populated with the default McAfee Web Gateway. What are our options? Thanks!
the behaviour should be normal. If you access talk.google.com via HTTPS the request goes through MWG. When MWG processes the block rule it wants to send an error message to the browser. The connection is HTTPS, so MWG has to respond with an SSL Certificate in order to show content to the browser.
So which certificate should MWG use to setup this encrypted connection? It cannot use the original certificate from talk.google.com, because we do not know the private key and cannot inject content into this SSL connection (which is actually what SSL is for :-)), so the only option MWG has is issueing its own certificate, which is signed by the CA configured in the SSL Client Content with CA.
The only other option is to not use a block action but use a redirect action instead, and redirect the users request to a different website or a generic error you host somewhere. A redirect is the only response a browser can process once it requested an SSL website (Note: This is only true for explicit proxy environments. If you are using transparent proxy this option is not available).
If you do not allow MWG to use its CA (by not having an Enable SSL Client Context rule) MWG will respond with a plain-text answer. The browser cannot read a plain-text answer when it requested a HTTPS URL, so it will drop a generic "Proxy Failure" or "Page cannot be displayed" error, which is not very nice.
I recommend to distribute a CA to the client browsers.