Hi Kevin,
I've never done a deployment with Blue Coat specifically, but with web gateways that do SSL inspection, the answers to your questions are generally pretty standard. Also I'm not 100% sure if you can use WCCP to do SSL inspection because the proxy needs to terminate the SSL connection on itself, then reestablish it to the website in order to see what is inside the packets.
Remember the packets are encrypted and we need that visibility.
What certs are needed on the client and Blue Coat?
This depends on your design.
a. The general instructions from the SSL vendors is to export the certificate and private key and import them on to the proxy. That way, the users will see a cert they trust.
b. Another option is to enroll the proxy as a subordinate CA server so they will trust the cert.
c. Final option is to use a self signed certificate and ensure all users trust it as a root ca.
I'd say do a. if you can, otherwise use b. Only use c. if you can easily push new certs to users.
How did you deploy certs to devices? I know we deploy with AD policy to the majority of our end users, but what about users with iPads, Linux?
I usually use AD. I've only deployed proxies in all Windows environments. For iPads and other modile devices, you'd need to use a mobile device management (MDM) solution, or do it manually on all devices. Unfortunately I can't comment on the Linux as I have no real experience with that aspect of it. May have to be manual as well.
What happens if the user does not have the cert insalled?
If they don't have the cert, for every https site that they visit, they will get the screen saying "untrusted website". Super annoying!
What impact if any has there been on your user community?
No impact to them really. Once the inspection is up and running smoothly, they are none the wiser! Just ensure that the inline proxy is adequately sized!