SGOS 220.127.116.11 introduced support for presenting entire client certificates to SSL servers that require client certificate authentication (see 000010410 for more information). Prior to this release, there indeed was support for client certificates but to a limited extent.
It is possible for the ProxySG on versions prior to 18.104.22.168 to verify the client's certificate and forward it (not the entire certificate but certain attributes) when intercepted on an HTTPS-Reverse-Proxy service as explained in 000013836 and shown in the image below .
However, this article is specific to the ProxySG's ability to send the entire client certificate to a server when required. Prior to 22.214.171.124, sending the entire client certificate to a server that requires it was supported but it was limited to the use of only one certificate per ProxySG unit. Quite simply, when setting a keyring in the SSL client of the ProxySG, it will use the certificate of that keyring whenever a server requests a client certificate. While not accommodating for multiple servers that require different certificates, this functionality is rather ideal for reverse proxy deployments where the back-end server(s) require(s) client certificate authentication and (if more than one server) they all accept the same certificate or root/intermediate CA.
For example: If you created a keyring with a signed certificate by submitting a certificate signing request (CSR) you can associate that keyring with the SSL client to be used for client certificate authentication to the backend server(s). This can be set by going to the Management Console>Configuration>SSL>SSL Client (see image below):
*Note: To be clear, the limitation here is that setting the SSL client keyring only allows you to use the same certificate for any and all SSL servers to which the ProxySG connects which require a client certificate.
** Apart from the above scenarios, if you have problems with access to an HTTPS site that requires a client certificate and you're either running a version of SGOS previous to 126.96.36.199 or you don't otherwise have the client certificate to install, then you will need to force the SG to TUNNEL the connection when the server sends a "Certificate Request". For more information on this, see 000011271.