SSL Bridging issue

Normally the server SSL profile doesn't matter. As the client in this case, it's receiving the server's cert in the SSL handshake, which it will silently ignore if it can't validate it. You can install a CA bundle in the server SSL profile to validate the server's cert, but generally you don't have to. The only other things you might need to worry about would be:

1. Cipher compatibility - the DEFAULT cipher stack should be able to accommodate later web servers. Otherwise you can switch to the built-in 'serverssl-insecure-compatible' profile, which supports older ciphers.

    

2. RFC5746 renegotiation - the generic server SSL profile requires strict adherence to RFC5746 "Secure Renegotiation", which is sometimes not supported by older servers. Again you can switch to the 'serverssl-insecure-compatible' profile to test this, or simply set Secure Renegotiation option in your server SSL profile to 'Request'.

    

I'd start with the generic server SSL profile though, as that'll work most of the time.

You specifically asked about the server SSL profile. In the server side SSL handshake, where the BIG-IP is the client, the server will send its certificate. The default behavior of the server SSL profile is to ignore any validation errors, so you can simply just use a generic server SSL profile. You can, optionally, require the server SSL profile to validate the web server's certificate, in which case you'd need to add a CA bundle to that profile and set the appropriate options in the Server Authentication section of the profile.

But again, you shouldn't normally have to do any of this. The default behavior is to ignore validation errors, so a generic (unmodified) server SSL profile will usually do just fine.