We currently install a certificate on client computers to enable SSL scanning on clients to surpress SSL errors in the browser. Can I purchase a certificate from somewhere which I can install on my MWG to avoiding having to install a certificate on clients to prevent these SSL errors? If so, what kind of certificate & can anyone give me any pointers?
you need a certificate authority, a certificate that is allowed to sign other certificates. You will most likely not get one from one of the trusted vendors, so you usually have to implement your own company wide CA and roll out that certificate or get a subordinate CA certificate from an existing CA within your company and import that into MWG. In that case the existing CA certificate should already be rolled out to clients, for example within your AD domain.
for everyone within the AD environment I would distribute the certificate via GPO. For all other users I would introduce a "welcome page" which gives some advice on this topic. A "welcome page" (also known as captive portal) will show a custom site once a day when a user starts browsing. You could place some comments about SSL Scanning and provide hints how users can manually import the CA certificate into their browsers.
As an alternative you can place a link to such a documentation to all error templates easily.