SSL Termination issue

As I understand it, the Unipass identity is a client certificate, and client certificates generally get sent during the SSL handshake phase. The issue with that you're doing is based on the way this "mutual authentication" works with respect to that handshake. After the server requests the client's certificate, the client sends that certificate and a separate "Certificate Verify" message. This message contains a digital signature which is signed with the client's private key. Therefore, as the BIG-IP would not have access to the client's private key, you cannot terminate and re-encrypt SSL traffic between the client and server and still be able to pass that client certificate to the server.

There are a few ways to handle this limitation:

1. Authenticate the certificate at the BIG-IP and then pass some other form of authentication to the server. The Access Policy Manager module provides pretty robust ways to handle this.

    

2. ProxySSL - an LTM function that provides an "SSL man-in-the-middle" for inbound traffic. This allows the BIG-IP to passively decrypt the traffic while still allowing the client and server to handshake directly. ProxySSL, as with all SSL man-in-the-middle, or "passive SSL" techniques, requires 1) access to the server's private key and 2) an RSA-based key exchange, which is not perfect forward secret. This is getting harder to do as more clients deprecate RSA key exchange crypto.

    

3. SSL tunnel - where you do not terminate and re-encrypt the SSL at the BIG-IP. This obviously limits the effectiveness of the proxy.