So, in your rulesets, I'm guessing you enabled the "SSL Scanner", this will cause the Web Gateway to scan the SSL traffic. A byproduct of this will be that the Web Gateway will sign the server certificate (in your example it is secure.nai.com) with it's own root CA.
And it looks like you do not have the Root CA added to the browsers "Trusted Root Certification Authorities". This can easily be configured individually under Tools > Internet Options > Content > Certificates. Alternativley this can be pushed out via GPO in your security settings.
Otherwise if you do not want to perform SSL scanning, simply disable the ruleset and the browser errors will disappear.
The SSL scanner is a bit like a man in the middle attack, The proxy will connect to the webserver and negotiate an SSL session, it is then able to decrypt the page, after scanning the content it will then re-encrypt the page and send it on the the end user. However as it does not have the webservers SSL certificate it is unable to sign it as like the orignal page, there for it has to re-encrypt the page using its own certificate.
To make the SSL negotiation seamless, therfore, you need to install your own root certificate on all the clients that use the proxy server.
Standard practice would also be to not decrypt highley senstive sites such as Banking.
So I take it that you did not have both certificates trusted, which is why you were getting prompted?
You can indeed import the certificates from #1 onto #2. Did you create your own? All that needs to be done is to take the certificate, key, and password, then import it on to #2 under Policy > Settings > Set Client Context > Default.
I was asking if the clusters share the same Certificate? When I log onto my Gateway, I do not see anyplace for another certificate, there is only one Default CA. It looks like the cluster shares it just like the rule set.
I don't get many certificate errors myself, just select people who do have the "Web Gateway" cert installed.
What is McAfee's suggested setting to Financial/Bank SSLs? Should they be skipping from SSL Scanning?
We generated a certificate and imported it into our primary appliance. The secondary appliance picked it up automatically, so only one CA is installed in our browsers "Trusted Root Certification Authorities" store.
No mention has been made of this in this thread that I've seen, but I noticed that Mozilla Firefox will happily use IE's proxy settings, but does not use IE's certificate store. As a result, the user will be presented with the invalid cert error in Firefox, even if the CA has been installed into the IE certificate store.
To remedy this, we generated a "Firefox Extension" that installed the CA into Firefox's CA store. (Thunderbird behaves the same way -- it has its own CA store apart from Firefox and IE, that must also be updated if Thunderbird goes through the proxy.)
So far in our testing, Google Chrome and Safari both use IE's proxy settings and certificate store and no additional configuration was required for those browsers.