that is how SSL Scanner works! When you enable SSL Scanner MWG replaces the server certificate with one it has the private key for. Without SSL Scanner:
Client <--- server certificate for www.facebook.com ---> Server
With SSL Scanner
Client <--- certificate issued by MWG for www.facebook.com ---> MWG <--- server certificate for www.facebook.com ---> Server
MWG creates server certificates for requested URLs on the fly and signs them with the Root CA which is configured in the "Enable Client Context" rule.
1.) If you disable SSL Scanner you have no "Enable Client Context" rule, e.g. MWG does not have a Root CA to sign certificates with. If you go to an HTTPS web site and MWG blocks access it has to talk HTTPS to the browser. It cannot do this, because it has no certificate to sign the connection, so it sends a plain-text error message. The browser cannot understand this and shows "Page cannot be displayed"
2.) You need to have a Root CA for which you own the private key exported to all clients and stored into their stores of "Trusted Certificate Authorities", via GPOs or other ways. This Root CA + its private key need to be known by MWG to create new certificates. The Root CA for MWG can be a subordinate CA of the one trusted in the browsers.
Thanks a lot this helps