Certificates implementation in "SSL forward proxy client and server authentication" scenario.

In most cases you don't need to do anything specific with the server SSL profile. This is the client side of the SSL handshake with the server, and will (unless instructed otherwise) blissfully ignore any subject or trust mismatches. So given that you have a generic environment that requires SSL termination on the client side to the F5, and re-encryption to the server, the following is an absolute basic requirement for this to work:

1. Client SSL profile - at a minimum you need the server certificate and private key that will be presented to the client during the client side SSL handshake. Unless you're also doing client certificate authentication, or mandating different cipher suites, you shouldn't need anything else configured in this profile.

    

2. Server SSL profile - in many cases the default serverssl profile is sufficient to re-encrypt the traffic to the back end. The server will present its certificate to the client (server SSL profile) during the SSL handshake, and the client will ignore the certificate mismatch and carry on. If you're running an older IIS or Apache instance, you may not be able to support the newer secure renegotiation capability, so you can either set the Secure Renegotiation option in the server SSL profile to "Request", or simply use the serverssl-insecure-compatible profile.