Ok, perhaps my mind is just fried, but how can we be sure MWG is doing cert verification? If we skip content inspection the client sees the original web site cert so how does one confirm vert verification unless it fails?
Also, why does MWG completely skip SSL altogether for things like webex and citrix. Why not still verify the cert?
It is important to understand that typically SSL scanning will happen in three steps/pseudo cycles.
3. Content Inspection
During the CONNECT you enable Certificate Verification (CERTVERIFY), during CERTVERIFY, you decide if you want to enable Content Inspection.
So just be cause Certificate verification was enabled, this does not mean that Content Inspection was used. As a result, MWG will not be the issuer of the certificate you see in the browser. However, if MWG detected a bad certificate, it will block the page, and you will see the MWG cert.
As far as MWG by default does not skip things like webex and citrix, but if you enable Certificate Verification, then that dictates how MWG establishes the handshake with the remote server. So it might still be possible to inspect the certificate, and you could just bypass it from Content Inspection.
There have been cases where I have seen webex or citrix make requests by IP address, which resulted in a common name mismatch (which would be blocked by Certificate Verification).
There is a number of SSL scanning examples here:
I don't work for McAfee so I can proffer an opinion/alternate viewpoint as to why the default rules are the way that they are. Vendors have to deliver a default rule set that works out of the box for the majority of their customers -- or they'll be swamped with support calls and/or won't have customers.
The SSL Scanner rule set is pretty complicated and unexpected things can happen if things don't happen in the right order so the most customer-friendly solution is to keep the entire rule set together and set it up as one of the first rule sets that are hit by any connection. In https://community.mcafee.com/docs/DOC-5212 it is shown below Global Whitelist, but above Global Blacklist. This makes it so that when sites are blocked in the Global Blacklist the browser understands the block message that it receives. It does not, however, handle situations (in terms of allowing the browser to get an understandable response) if something in the global whitelist times out or otherwise fails.
When you start layering in things like coaching and bypasses based on specific criteria that can only be obtained after Enable Certificate Verification has been called, but before Content Inspection, and you're also trying to make the rule set efficient, things get really complicated...
I may have an additional thought or two about verification of Common Name and the worth and/or validity of that check, but I need to let those thoughts percolate a bit before they're ready for prime time.