Giammarco:
Thanks for the input on this. You're right on both counts. I'll need to look at why IE8+XP has an issue with this -- disabling TLS 1.0 is an okay fix but there should be a way to do this without needing a clientside fix. And we can't disable TLS 1.0 handshake checking in the iRule because SNI browsers can be TLS 1.0 (most are).
The offset thing -- that's also correct on your part. The rule was written originally prototyping against only SNI browsers, so I have to admit, redfaced, that I didn't test it too hard on non-SNI browsers. If I get a chance, I'll go update the iRule and give it another test.
Of course, if you're running 11.1/11.2, it's better to just use F5's built-in SNI support. :> It doesn't do pool switching, but an iRule on the VIP can easily do that for you once TMOS is done taking care of the SNI selection.