Hello Teo,
From what I understand, I don't think you need to worry about SSL orchestrator or SSLO.
I'm pretty sure you can achieve this flow:
Client --- -->[F5]------>[BC]----->[F5]---->Internet
by applying a client-side SSL profile and by not applying a server-side SSL profile. In essence, clients would connect to the Big-IP, where the client side certificate would be used for https. Then, BIG-IP would decrypt it, sending traffic on to the Bluecoat proxy. BlueCoat inspects the client traffic, and either allows/denies it. It sends the traffic back through the BIG-IP, where it is re-encrypted and sent, not back to the client, but to whatever the client was trying to access.
From what I understand of BlueCoat, the client access the internet through the BlueCoat Proxy. To place a Big-IP in front of BlueCoat, you would configure a virtual server with Bluecoat as one of it's pool members. Instead of the BlueCoat proxy address, client's would enter the IP address of the virtual server.
The only area of the configuration I'm unsure of is sending the traffic outbound instead of back to the client, which runs against auto-last hop, which directs traffic back to its source (in this case the client). This might depend a little on how BlueCoat works, which I admittedly don't know much about. Truthfully, if the BlueCoat proxy is being overwhelmed, it might be a better solution to upgrade your BlueCoat.
Feel free to ask if you have any follow-up questions,
Austin
Cirrus
