HTTP Profile breaking HTTPS

To expand on this somewhat: with TLS traffic, if the BIG-IP is not "offloading" (decrypting on the client-side), it is impossible for the BIG-IP to inspect the traffic in a meaningful way (aside from some information exchanged in the TLS handshake). This is true not only for BIG-IP, but for any device. TLS is specifically designed to prevent a so-called "man-in-the-middle", and does so in part by encrypting traffic. It initiates the encryption in such a way that only the client and server can encrypt and decrypt the flow. When the BIG-IP is set up for offloading (via a clientssl profile), the BIG-IP becomes the "server" in the TLS conversation with the client, and thus, can encrypt and decrypt the flow. However, as part of the "man-in-the-middle" protection, TLS uses certificate based system authentication. That is, using a signed certificate, the server in a TLS exchange must provide its identity. The signature "proves" that the end-system really is what it claims to be. This is the reason you must install the validly signed certificate and private key from the real servers on the BIG-IP, and create a clientssl profile that points to these.

When you assign the http profile to a Virtual Server, it assumes the incoming traffic is HTTP. It uses protocol validation, and rejects traffic that is not valid HTTP. TLS traffic itself is not valid HTTP (even if it contains HTTP traffic), so without offloading, TLS traffic is dropped when the http profile is applied. On the other hand, if offloading is used (again, meaning a clientssl profile is also applied), the incoming traffic is first decrypted, and the traffic contained with the TLS stream is then processed by any other profiles.