1 VIP accepts on "0" and passes to 3 different pools based on dest port

Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).

Why don't you simply create four different Virtual Servers, all using the same IP, but different ports? If you don't use SNAT on the VSs, then the client will see the original client IP (naturally, they must have a route back to the client, which traverses the BIG-IP -- unless you're using direct server return).

If your only objective is to pass the True-Client-IP HTTP header without alteration, and the Akamai source is inserting that header itself, you don't need an iRule, and in fact, don't even need the http profile on the Virtual Servers. In this case, separate Virtual Servers are definitely cleaner and more performant. If you need to either generate the True-Client-IP header, or need to make the source IP of traffic toward your servers be the True-Client-IP address, then an iRule and the http profile are both required. Even in this case, it's more performant to use separate Virtual Servers, and as I say, as long as the number of destination ports is low, then it is (in my opinion) still cleaner.

Incidentally, if the BIG-IP must parse or insert the True-Client-IP, and if the traffic bound for port 443 is SSL, you must terminate the SSL on the BIG-IP. If you are simply passing the header along, then as with all of the other Virtuals, you may simply use a FastL4 profile.

As @IanThomson85 points out, there are a number of DevCentral discussions along a similar vein. For example:

• https://devcentral.f5.com/questions/akamai-true-client-ip