The purpose of this article is to provide an explanation and possible workarounds for the issue in which this error message prevents the proxy from downloading the Intelligence Services database:
"Server certificate signed by unknown CA"
This issue occurs when there is a device between the proxy and the destination server that is providing a certificate that the proxy does not trust by default. This can occur when there are two proxies in a chain environment.
In order to prevent this from happening, the following procedures can be performed:
-Install the certificate from the external device into the proxy's CA certificates list and then to the browser-trusted CCL.
-Disable SSL Interception in the upstream device for this particular request, so that the certificate that the internal proxy sees is the original one.
-(If the upstream proxy is Transparent) Add the IP that resolves to the Intelligence Services database to the Static Bypass List. This assumes there is a ProxySG or ASG providing this certificate.