This is probably related the the homepage the user has set in their browser. A lot of properties such as Facebook and Google automatically redirect users to the HTTPS version.
Assuming the client has their browser homepage set to google.com or facebook.com, the following would happen:
- client associates to the network
- client launches browser to an HTTP page which returns a 302 redirect to its HTTPS equivalent (example: http://google.com and http://facebook.com, which now redirects all users to https://google.com and https://facebook.com by default).
- client reaches the http://google.com servers (due to auto whitelisting), which returns a 302 redirect to https://google.com.
- client follows the 302 and attempts to access https://google.com.
- IAP intercepts the connection, spoofs the SSL certificate and redirects client to http://google.com. This "spoof SSL and redirect to non-SSL" behavior appears to be expected, and is how you intercept outbound HTTPS requests for portaling.
- client reaches the http://google.com servers (due to auto whitelisting), which returns a 302 redirect to https://google.com
[Process repeats until the browser errors out due to redirect loop]
Disable auto whitelisting should prevent the redirect loop with the side affect of the user receiving cert mismatch errors. I suppose you might be able to whitelist the HTTPS version of these sites but have not tested it.