external client authetication certificate

Still not completely clear. In the context of a full proxy system like F5, there are essentially four ways that "authentication" can happen:

1. Client authentication to the F5 front-end - this could simply be presenting a client certificate to the F5 VIP, or performing full APM-based client side authentication

    

2. F5 (acting as the client) authentication to the backend server - this is usually performed by APM doing SSO to an application

    

3. Client passing credentials through the proxy - the simplest form. If, however, that authentication is client certificate, then the F5 cannot terminate and re-encrypt the SSL channel, and otherwise perform any intelligent functions at layer 7

    

4. Or some combination of the first two

    

I believe you're talking about client certificate authentication, where the client presents a certificate as part of an SSL handshake. This can obviously be done between the client and the F5 (option 1 above), and directly through the F5 (option 3 - without terminating the SSL). If you terminate the SSL and consume the client cert (option 1), you can perform some other form of server side authentication (option 2) based on attributes of that client certificate, but not the client cert itself.

You also asked about security concerns. That depends entirely on a few different things. For instance, are you trying to perform client certificate authentication to the F5? Are the clients using hardware certificate tokens (smart cards) or software-based certificates? What type of authentication is required at the backend servers?