have you read the best practices document?
Yes. If you do any type of SSL scanning, you must install a CA certificate on each workstation to avoid certificate warnings.
If there is already an internal CA that you have where the root certificate is already installed on the client, then you can have that same root CA create a subordinate CA that can be put on MWG.
You cannot use a public certificate from a public CA to do this.
There is no way around this. All SSL interception products from all vendors work the same way. This is how SSL works.