I would like to know how do you configure SSL scanner for Proxy HA. In specific how do you manage the certificates for multiples web gateways.
All proxies in a centrally managed group share the same policy, including the CA certificate used for SSL scanning. you do not need one for each proxy.
You only need one certificate for all MWGs. For the common name you can put whatever, like: "INSERT COMPANY NAME HERE Filtering CA"
This certificate needs to be a Subordinate Certificate authority. This is very different from what a CA admin will be asked to do, so be explicit that you need a Sub CA, NOT a web server certificate.
No you don't have to use that method, as there are multiple ways to create a CA. One of which is simply generating one via the MWG UI as outlined here:
But with that method i am creating a certificate, then the customer will have to generate a GPO an deploy the certificate.
What we want is use the Microsoft CA of my client to generate the certificate, in order that he don't have to deploy the certificate with a GPO, because the users already trust the Microsoft CA.of the organization.
You do indeed want to follow that guide if you have a Microsoft CA, if and when you get stuck don't hesitate to give me or Brent a call and we can help out.
The tricky part is converting the pfx to crt and a key along with the chain.