I haven't really focused in on this yet, but I've been seeing some situations where MWG reports that a certificate has been revoked, but out of band systems don't confirm that.
Although I have seen this with other sites, one of the main ones I see it with are Cisco sites.
At the moment I configure our first (test-)MWG7-system with SSL-inspection and i have the same problem with the following (Cisco-)site:
Does anybody know, what's the reason for this?
When a client connects directly to the site (without MWG), there is no problem.
I have seen this before, Cisco has a CA for which they have not properly configured OSCP or the CA does not know of it's subordinate:
Issuer: DST Root CA X3
SubCA: Cisco SSCA2
These appear to be the same CAs used in the URLs you have given.
The MWG checks with the CA's OSCP responder, and the CA (DST Root CA X3), retruns an "unknown" response for the subCA (Cisco SSCA2). This is why the block occurs.
WebEx isn't actually HTTP traffic encapsulated in SSL and the proxy doesn't understand what to do with it. A Stop Cycle rule for the WebEx destination will allow the traffic.
There's a McAfee subscription list that you can use for WebEx destination IP addresses and there's a template rule set for WebEx on contentsecurity.mcafee.com -- rule set 50027. The rule should go above your SSL Scanner rules.