Forward explicit SSL proxy server

There are a few moving parts.

1. Create the "tcp-forward" tunnel object
2. Create the DNS resolver object
3. Create the http-explicit profile that binds the tunnel and DNS resolver objects
4. Make sure you have a default outbound route. It may be helpful to jump onto the command line and nslookup/dig some remote site to make sure it resolves, and then cURL to it to make sure the F5 can actually get there
5. Create the proxy VIP - this is the IP::port that the client browser will be configured to talk to. A standard VIP, listening on specific internal IP and port (ex. 3128 or 8080), http-explicit profile, listening on client side VLAN, SNAT as required, address and port translation enabled
6. Create the "tunnel" VIP - this is the VIP that will maintain the HTTP CONNECT tunnel for SSL traffic. A standard VIP listening on 0.0.0.0, port 443 (or port 0 if you want to be able to handle HTTPS on any port), listening on the tunnel object created earlier, SNAT as required, address and port translation disabled

So the way it works, an HTTP proxy request hits the proxy VIP, is locally resolved, and is routed out the default gateway. An HTTPS proxy CONNECT request hits the proxy VIP, is locally resolved, and the proxy VIP establishes a TCP tunnel between the client and the tunnel VIP, and then responds to the client with a "200 Connection Established". Upon receipt of this message the client initiates its SSL handshake outbound, through the TCP tunnel, out the default gateway to the remote server. You don't technically have to process SSL at the tunnel VIP. If you do, that's called "SSL Forward Proxy", and you need the SSL Forward Proxy license for that. This license allows the F5 to re-issue the server cert to the client from a locally-installed (preferably subordinate) certificate authority. In this case, you'd

1. Install the CA certificate and private key
2. Create a client SSL profile that enables the SSL Forward Proxy option, binds the CA cert and key, and whatever other options you want there
3. Create a server SSL profile that enables the SSL Forward Proxy option, optionally enables the SSL Forward Proxy Bypass option, optionally sets the Server Authentication - Server Certificate option to require, and provides a certificate bundle for the Trusted Certificate Authorities option (if Server Certificate is set to require). The ca-bundle certificate bundle is comprised of the Mozilla CA trust stack and is updated often. You may optionally want to modify the Ciphers option to: "DEFAULT:ECDHE_ECDSA" if you're running at least 11.6HF5, and it would be wise to also set the Secure Renegotiation option to Request or Require as there are still many servers on the Internet that don't support RFC5746 Secure Renegotiation.
4. Bind the client and server SSL profiles to the tunnel VIP