So in the end, the cert error that we got when enabling tunneling, indeed was a cert mismatch. The cert we were presenting with the F5 (that's also on the connection servers), and the cert was that installed on the UAGs, weren't the same. That's what we get for assuming, and not bothering to check a cert, which takes all of 5 seconds. Ah well, once we put the proper wildcard in place, we are good to go, things running just fine in testing.
