Creating a high availability public IP without access to HTTP headers

What we are looking to is have a public IP which forwards traffic to internal servers, not via HTTP, but without altering the original IP of the request.

The reason we need such a setup is that the hosting company we work with provides us an F5 big-ip but doesn't give us direct access to it. Right now, installing SSL certs requires a manual change on the F5. We'd like to be able to manage the certs ourselves as well as script some of the SSL certs using tools such as Letsencrypt.com, so we are attempting to allow us to manage the SSL certs on servers we control. So that means we need to route the traffic from our public IP (the F5 device) to our servers without reaching into the HTTP packet (or we need the certs installed). Due to this fact, we can't use standard Layer 7 type VIPs. This also means we can't do something like XFF to retain the original source IP. We could have our host simply route all traffic from a public IP to an internal server of ours, but that means that server becomes a single point of failure. So that's why we're trying to find a proper setup for the F5 device to properly handle this situation.

Reading up on the subject it seems like there are 2 possibilities we can employ. Either a layer 4 VIP which load balances to a pool, or a forwarding IP (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_virtual.html). We don't need load balancing capability, but we do need failover. When we tried a layer 4 VIP, we lost the source IP of the original request (it become the IP of the layer4 device). Is that because we were setting up something wrong in our L4 device or is that a standard "feature" of a layer4 VIP? Would a forwarding IP setup be able to get us what we need? Does it support failover capability (even if one only one destination server is active at a time, it can fail to another)? Would it have the same problem we had with losing the source IP of the original request?