SSH into the S170grep -> 1 access logs -> enter your workstation IP address -> y, n, y, nStart a new browser session and visit the site that is not working.Look for the drops in your logs.. this will tell you what policy you are matching.If it's not ...

We currently use self signed as we do not have an in house CA. I followed the guide here:http://blog.samkendall.net/2010/05/12/how-to-make-your-computers-trust-your-cisco-ironport-https-proxy-in-an-active-directory-environment/  works great.