The client tries to connect from a protected network to a remote site using a third party VPN client.
"server certificate is invalid"
VPN Client implements SSL pinning. VPN Client asks for the SSL certificate from the VPN concentrator over https connection. Since SSL Inteception is enabled in the Web Security Services (WSS) the VPN client receives the WSS' certificate and rejects the certificate and generates an "Server Certificate is invalid" error.
Create SSL Interception Exemption for the VPN concetrator.
Service > Network > SSL Interception > SSL Interception Exemptions > Destinations > Add > New > IP/Subnet > add concentrator's IP