Client cert for IIS getting dropped

Are you saying that the IIS server needs to get the actual client's certificate? If so, understand that once the SSL session is terminated on the client side, with client SSL profile, the client can no longer send its certificate to the server. This is because the client will sign its certificate (and other data) with its own private key. The BIG-IP wouldn't have access to the client's private key, so it cannot send it to the server in the SSL handshake. You basically have three options then:

1. Remove the client and server SSL profiles and let end-to-end SSL pass through the BIG-IP. You lose a significant amount of flexibility with this approach since you can no longer see the unencrypted payload.

    

2. If you're running BIG-IP version 11.1 or higher (11.3 HF5+ preferred), you can use a feature called "ProxySSL", which is an SSL man-in-the-middle. The client and server SSL profiles have a copy of the server's private key and can transparently decrypt the payload. You gain back some application layer insight, but you have to be careful with some things as the SSL session is made between the client and a specific server, and that can not be altered once established.

    

3. Consider another way to authenticate at the IIS server. There are a many ways that you can pass validated credentials to a web server, including HTTP headers, server side cookies, and all of the SSO functions that Access Policy Manager (APM) can provide.