The issue occurs because if the HTTPS/SSL policy is enabled, the HTTPS traffic will be decrypted for scanning and will be reassigned a new IWSaaS root Certificate Authority. However, the browser does not recognize the new certificate.

To resolve the issue, import the new IWSaaS root Certificate Authority (CA) to the client’s trusted root certificates:

To download the IWSaaS root CA:

1. Log in to the IWSaaS web console.
2. Go to Administration > Service Deployment > HTTPS/SSL Policies.
3. On the lower right side, click Download and install an SSL certificate for client devices.
    
4. Run the certificate and install it in Trusted Root Certification Authorities.

To import it in IE:

1. Go to Start > Programs > Administrative Tools > Certification Authority.
2. Click Trusted Root Certification Authorities, and then right-click the Certificates folder.
3. Select All Tasks, and then click Import. This will open the Certificate Import Wizard. 

   

4. Make sure to import your IWSaaS certificate from the IWSaaS console.
5. Follow the prompt to finish the wizard.

To import in Firefox:

1. Go to Tools > Options > Advanced > Certificate.
2. Click View Certificates, and then select Authorities.

   In Firefox, the CA cannot be imported to both the server and authorities. If the CA was imported to the server, delete it first.

3. Click Import.
4. Navigate to the download folder and select the current_ca_cert.cer file.
5. Select Trust this CA to identify websites, and then click OK.

To Deploy Certificate via GPO:

After downloading IWSaaS Certificate from the Web console, deploy the Certificate by using GPO.

Refer to the Microsoft Technet article: Deploy Certificates by Using Group Policy

For additional information, you can refer to another Microsoft Technet article: Distribute Certificates to Client Computers by Using Group Policy.