Changing from Transparent Proxy to Standard Proxy Breaks Outlook and Website Images When SSL Decrypt and Scan is Enabled

Question

I'm wanting to changes our setup from a transparent proxy with AD SSO, to standard proxy with AD SSO authentication. With transparent proxy, SSL decrypt and scan is set and the cert distributed to all clients, which works fine. When I switch to standard proxy, some web page images no longer load a and also outlook 2016 gets disconnected from our Exchange server. As soon as I disable the SSL decrypt and scan, it all starts working again. 
 Is there something else I should be changing to fix this? I can't work out where the issue is.

BAlfson · Answer

OK, I will have moved this thread from General Discussion to the Web Protection forum. 
 What relevant line(s) do you see in the Web Filtering log when your browser is configured to use the Standard Proxy and website images are broken? Are the web servers with broken images internal or out on the Internet? What browser? Is this the Outlook app that breaks or Outlook Web Access? 
 Cheers - Bob

DouglasFoster · Answer

Yes, there is no free lunch. 
 You have merged two issues: 
 
 Standard vs. Transparent Mode Proxy 
 HTTPS inspection enabled or disabled 
 
 These are actually independent decistions, so there are four possible combinations. 
 I recommend running both proxy modes. I use Standard mode with AD SSO authentication for browser traffic, and Transparent mode with no authentication for non-browser traffic (of which there is much more than I expected.) 
 HTTPS inspection is a tougher call. UTM becomes the client to the remote website, not your PC. This creates a number of issues: 
 
 UTM does not support the ciphersuites of some websites. 
 UTM does not support AIA fetching for sites that do not provide their intermediate certificates. 
 Some browser plugins will not work correctly. 
 Most dual-session products will not work correctly (gotomypc and equivalents, Citrix sessions, etc.) 
 
 The first two are theoretically correctable, but the browser companies have more money so they can adapt much more quickly than Sophos. The latter two issues are inherent to the technology. 
 You should have a monitoring and tuning process for any webfiltering endeavor. Your tuning effort is greater with HTTPS inspection enabled. The logs have the data that you need. 
 To work around specific problems like the ones in your headline: 
 
 Assign websites to Tags, and assign Tags to Exception objects. 
 Use an Exception object that bypasses everything rather than using skiplists. 
 
 For more pontificating, see my posts "Web Filtering Lessons Learned" and "Troubleshooting Web Filteirng". Both are pinned to the top of the Web Filtering forum