With HTTPS inspection configured and Outbound Certificate distributed, following behavior being observed:
From internal hosts, browsers reaching destination, substituted certificate is shown as valid and there are no indications of the intercept:
When remote client (Endpoint VPN) establishes the connection to the same site, certificate is substituted, declared "valid", but the browser indicates the site being "Not Secure":
Certificate is installed on the remote client in Trusted Root Certification Authorities:
The culprit was the older certificate issued by the same gateway and installed on clients. After removal of the old certificate, clients' browsers behavior reverted to normal.