You want to know about best practices for implementing server certificate validation for Forward proxy deployment.
For a typical forward proxy deployment it is recommended to have server certificate validation enabled for HTTPS requests. By default server certificate validation is enabled unless its disabled via policy in VPM or CPL. If certificate validation is disabled for all HTTPS requests with policy setup like below, this may expose client machines to HTTPS sites where the server certificate is expired, spoofed, issued by unknown signing authority or revoked.
With Visual Policy manager (VPM)
With Content policy Language (CPL)
It is recommended to use disable server certificate validation policy selectively for know destination hosts, domains, IPs etc, where the HTTPS site could possibly an internal site or a site that is known to proxy admins but has certificate problems, i.e. untrusted issuer, expired, host name mismatch. Below is a sample of how to disable server certificate validation by domain