Accumulated quite a lot of internal http/https services that you need to publish to the outside. All services are diverse on different platforms. Now everything is published through MS TMG, partially through a single public IP address, separated by a domain name. But as almost all services are forced to translate https, complications arise in the generation and certificate import on the server and on TMG - the certificate should be tied to the "listener". Hence almost eliminates the opportunity to use lets encrypt, because on the reissue server certificate works as a machine, but on TMG it should hands to import and change in the listener.
Therefore is searched for a free solution to publish web services, with the ability of the institution to all sub-domains and obtaining certificates for them in lets encrypt or to not set up its own certificate and forward immediately to the destination server. Well, some extra buns for the protection, like limiting the number of sessions, lock brutforce and so on.