Michael, your have 3 options :
First option is you do not enable a HTTP profile on your Virtual Server. In this case the TLS handshake will have to be done by your application server. There is 0 offloading done in this case and your SSL certificate needs to be on your app server :
Client --> Passthrough Port 443 --> Big-IP --> Passthrough Port 443 or 8443 --> App Server
Second option is you enable a HTTP profile and also a SSL certificate (through a client-ssl profile), but pass on the requests to the app server unencrypted. This is probably the scenario that you are looking for because it provides offloading for your server :
Client --> HTTPS Port 443 --> F5 Big-IP --> HTTP Port 8080 --> App Server
This option offloads the server as the encryption terminates at the Big-IP. One important thing to know is that this might cause your app to misbehave because your app might want users to come in via HTTPS but it will see unencrypted connections. And then it will redirect users to . And this is going to create an infinite loop. In this case you might need to pass on not only X-Forwarded-For, but also X-Forwarded-Proto to tell your application that the users has connected via https and not http.
Third option is you use encryption all the way, in which case you need a HTTP, client-ssl profile and server-ssl profile. You will need a SSL cert on both Big-IP and app server :
Client --> HTTPS port 443 --> Big-IP --> HTTPS Port 443 or 8443 --> App Server
This scenario does not provide offloading for your server but provide an additional level of security.
Nimbostratus
