Hi Jeffrey, I've seen a few customers clone traffic and send it unencrypted to an ids system, and I've also seen a couple solutions where they will send unencrypted through an IPS system that then flows back through the BIG-IP to be re-encrypted before sending on it's way. Clever solutions, but if the requirement states no unencrypted traffic on the wire, period, well, both solutions fail that, and there isn't an official best practice stamp on them anyway. If interested:
https://devcentral.f5.com/articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic-manager