By Web Console I assume you mean Web Gateway.
- This depends on your network topology. If you have multiple offices each with there own internet connection which you apply VPN on to stitch into a single logical network but send internet traffic bound traffic directly out the network, then I would say yes, it would best to have an MWG at each office. However if you have multiple offices with leased lines and they share 1 internet connection, then you would only need an MWG where the internet connection is. you could also use the McAfee cloud rather than have a local proxy server if there are a lot of internet egress points and you don't want to host loads of servers.
- You could the McAfee Client Proxy to redirect traffic to the MWG. This is an application installed on each end point and is network aware able to redirect internet traffic to either the local proxy, the McAfee Cloud filtering service, or directly to the internet automatically depending on rules set by yourselves. This would integrate well with your current use of EPO.
- You would need to install the CSR plug-in for EPO to do the reports on web browsing, or use McAfee Web Reporter. CSR is free with MWG and I believe Web reporter is too, though there is a premium version of Web Reporter which you can buy support for.
Disclaimer: We currently do not use McAfee Client Proxy, EPO, CSR or McAfee Cloud. I've looked at all of them but they don't fit our environment which from your description is very different to yours.