Client Certificates at the Backend?

Please tell us something about your configuration. Since we are discussing client certificates, I assume that BIG-IP is performing SSL termination. Is this for offload purposes or is BIG-IP re-encrypting the traffic to the back-end servers? With SSL offload, the back-end traffic is unencrypted, so there really isn't a good way to offer a client cert to the back end. However, BIG-IP can be configured to perform the authorization itself. Additionally, the complete client certificate (or selected fields from it) can be included as custom HTTP headers. With re-encryption (also called SSL to server), the story changes somewhat. BIG-IP can offer a client certificate to the server. You can even choose which certificate to offer, but there is no good way to "push" the client's certificate through.