HTTPS Reverse Proxy
When using ASG to terminate SSL sessions (SSL Offloading), it’s sometimes needed to get the client certificate (mutual authentication) and pass some SSL info such as SSL Session IDs and Client-SSL Certificate information (e.g. certificate fingerprint and serial number) inside HTTP header to be used and processed by the protected web applications.
An example of this use; let’s assume that I have a plain-text web application with certificate-based user authentication, so, it’s necessary to have such features in my WAF appliance.
Jim Harrison commented
The only way for the UTM to accomplish this would be for it to build a spoof client cert based on the original client cert particulars and signing it with the a CA certificate that that the published server trusts.