IMessaging connects to a server using the certificate *.ess.apple.com which is signed by Apple Root CA. 

Apple Root CA is not a CA that common browsers trust. Moreover the ProxySG appliance does not trust it by default and will terminate the connection with a certificate warning (untrusted issuer).

 

The Signing cert for *.ess.apple.com is not trusted by the ProxySG appliance by default.

Import the Apple Root CA into the ProxySG CA certificate list:

1. Download the Apple Root CA (attached below). 
2. Click Configuration > SSL > CA Certificates > Import.
3. Open the Apple Root CA in an text editor then copy everything including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
4. Name the cert AppleRoot then click OK.
5. Click on CA Certificate Lists tab.
6. Select browser-trusted and then click Edit.
7. Select AppleRoot from the left column and click Add >> to add it to the right column.
8. Click OK and then Apply.

Note:

An issue of this nature can also be encountered when Apple devices need to access other sites such as the following:

gsas.apple.com
*fmip.icloud.com