Thank you alabaster & Chris. I appreciate your help. I'm afraid you will need to go very slowly with me. Users on our network are initiating a web connection to the destination url. The users can get to the destination site okay but cannot authenticate. The F5 Engineer reviewed the tcpdumps from the F5 device and suggested setting up the destination addr persistence affinity to see if it works. We have two F5 devices: each one sits in front of a different ISP (for ISP redundancy). One unit shows status "Active" and the other one shows status "Standby". By VIP I assume you are referring to Local Traffic > Virtual Servers: Virtual Server List. We have an outbound HTTPS (443) forwarder defined with type "Performance (Layer 4)" and protocol "fastl4_long_idle". We have an outbound HTTP (80) forwarder defined the same way. We also have a generic outbound forwarder that is set up as type "Forwarding (IP)" and protocol "fastl4_long_idle". So I'm guessing I need to set up another forwarder for 8443 traffic, restricting to the destination IP. Am I on the right track? Is this change fairly innocuous?
Nimbostratus