If I'm reading your question correctly, you want unencrypted client traffic arriving to a single destination IP address but different ports to be load balanced to an appropriate server and encrypted on the server-side. (So encryption only on the server-side connection, not on the client-side.) You don't need an iRule to do this traffic direction. Just define three separate virtual servers, each listening on a different port (7443, 8443, and 9443) that load balance to their respective port 443 pool member. (In other words, you can define three different virtual servers at the same IP address but listening at different ports.) Make sure each virtual server also has an appropriate server-SSL type profile configured with the necessary certs to be able to handshake properly with the 443 servers on the server-side connection.