Been asked to do a DirectAccess proof of concept fronted by an F5.
Running 11.5.0 and am having issues getting SSLLABS to be ok with forward secrecy and the cert chain.  I'm more used to Apache on this stuff.
Also, how to pass the client cert to the backend DA servers through the F5.

That's going to be tricky..   you'll have to have a wildcard cert i do believe and most likely want your own multi-tier PKI at least to test things first.  You'd then have those certs chain up to your trusted root.  for DA I am most certain you need to have the client inside the LAN and get it's cert issued via manual or auto-enrollment.

Are you doing EC certs?

Your regular key exchange after should be typical DH.  

That f5/load balance/AD fail-over scenario is on my to-do list for my PKI lab.. I just haven't gotten to it yet.

Are you on 2012R2 or 2008R2?

Have a wildcard cert for my domain from Comodo on the F5, have internal PKI by active directory.  No EC certs

The machine certs will be handled by the AD team.

So far, I think I've got the client SSL setup fairly well, the part that gets me is the server SSL profile.  When the F5 goes to talk to DA server 1 (have a pool of 1 for initial testing), it was reporting cert name of the DA server,  not my chosen da.example.com.  

It is too bad that my training on this was 2 years ago and I haven't gotten to use it until now.

Some things I learned:
11.5 has a bug with cipher mismatch.  I was being too aggressive in culling lame ciphers from the list.  The bug involves the F5 sending a RST when the TLS handshake begins.
The machine cert & chain needs to be on the client SSL profile, server SSL profile, and on the actual back end server.  I was trying it with a wildcard on the outside.  No go.

interesting...  I haven't had a chance to try any F5 gear yet.