[Ignitionnet]

Popper, those rely on having the proxy configured as a CA on the browsers so that they can create phony certificates to present to the browsers.

They can work on layer 2 however they terminate the SSL tunnel from client to server and server to client. To do this they require the browser to trust them to sign certificates. This can be done in an Enterprise environment where you have control over the security policies on browsers, however in an ISP environment it's not feasible.

EDIT: The other alternative is to get certified as a CA properly so that you get installed into browsers, however use of CA in this manner is not valid and any company doing this will soon find their CA disappears.

Remember how SSL works - in order to properly set up the session you need to have a certified, signed public/private key pair from the server. While it is possible to impersonate the client and decrypt the flow initially it is not possible to impersonate the server unless you have a signed public/private key pair the client trusts through appropriate certification.

Having set up SSL offload appliances all, without exception, require the transferral of the key pair from the server to the appliance or generation of a new key pair which has been appropriately signed and certified on a per server basis. I would suggest the same goes for trying to SSL 'offload' within the ISP network as well.