The SSL certificate needs to be added to the Trusted Root Certification Authorities of all of your computers. I'd just use a self signed one from the firewall, but you can also get puicly signed ones, etc. This article covers the concept pretty well (I have no affiliation with Globalsign it just explains the concept well): https://www.globalsign.com/en/blog/what-is-ssl-inspection/ Regardless of which route you go, you will HAVE to push at least one certificate to get SSLi working. If windows, the easiest way do deploy these is using GPO. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy If MAC or linux, youd need some sort of orchestration tool (JAMF, etc) to push globally.
... View more