In the MWG, there is a checkbox for "send empty plaintext fragments".
This can be found under Policy > Settings > Engines > SSL Scanner > Enable Content Inspection. Uncheck the box for "send empty plaintext fragments".
If you have forward and reverse proxy using the same "Enable Content Inspection" settings, you should create a separate settings container for reverse proxy.
This seems to work. Is there any downside to disabling the feature? What does it do?
This feature is used to protect SSL connections from attacks similar to BEAST. See http://www.h-online.com/security/news/item/First-solutions-for-SSL-TLS-vulnerabi lity-1349813.html
For reverse proxy it's not as important to be enabled because MWG is protecting internal servers and MWG is handling all the SSL anyways.
For forward proxy it *is* important to have enabled. So that MWG will insert the empty plaintext fragments in order to prevent itself from being subject to attacks like BEAST.
If you have a webserver not compatible with this, you can create a separate SSL settings container which doesnt have it enabled. This would be above the last rule in Handle Connect call.