i am having an issue connecting to my security servers from the outside. wondering if anyone has experienced the same issue or has any input

customer has an F5 LB running Big-IP version 11.6

F5 has a wild card *.xxx.com cert

F5 is doing SSL offloading

F5 VIP was configured with the most current doc (4-1-16)

vdi.xxxx.com --> Public IP --> NAT --> F5 VIP --> security Server --> Connection server

                                                                    --> security Server --> Connection server

if i set the security servers external URL to the VIP, i connect and get a login box, shows secure https: connection. if i login, i get an error box that the tunnel creation failed. i can see on the connection server that it authenticated me, but again tunnel fails, and i never recieve the list of available desktops

if i set the security servers external URL to the public DNS FQDN vdi.xxxx.com , i will get an error "The Connection Server Authentication failed. The tunnel server presented a certificate that didnt match the expected certificate.

if i disable SSL checking on the client, and have the security servers set to that DNS FQDN, i can get the desktop list, but when i click the desktop i want, it never connects. i can see in the logs that the request came to the desktop and vConn server handed off a desktop for me to use, but no connection.

i opened a case with F5 and VMWare, but awaiting their calls back. any input would be much appreciated!!