Looked around for ages for this.
If you are using IIS as a reverse proxy server, you have ARR installed and are using server farms to load balance incoming requests to multiple back end services, the configuration for some things is done at the server farm level rather than at the default server level.
My problem as how to change the name of the HTTP header that contained the client certificate used by IIS when it was doing Mutual TLS authentication.
So - the IIS server has mutual TS configured and client cert required and it terminates the SSL endpoint.
Without a server farm you can use the configuration editor at the IIS server level to and configure the system.webServer/proxy entry. There is a setting clientCertHeaderName that has a default value of X-ARR-ClientCert, and you can change it to something else to get the IIS to send the authenticated client cert downstream.
If you use server farms however, you have to set up a URL Rewrite rule at the IIS server level to pass matching incoming requests to the server farm, and in that case, the X-ARR-ClientCert header name is not affected by the system.webServer/proxy setting.
Instead, at the server level you have to use the configuration manager and look at the "webfarms" confiration. There will be a collection of the configured server farms. So pick the one that you want to change.
Modify the "applicationRequestRouting.protocol.clientCertHeaderName" property of that server farm to the value you want to get the desired behaviour.
