We had a project where the customer used a cross-farm services environment and wanted to implement Duet Enterprise 1.0 in this environment.
The publishing farm is the farm where the services are published from, the consuming farm is the farm that consumes the services. In front of the consuming farm there is an SSL-offloading loadbalancer for the internal network.
Duet Enterprise was installed on both farms.
The BCS service application is hosted at the service publishing farm and this is where the BCS models imported, the BCS proxy makes them available in the consuming farm.
As the BCS models are on the publishing farm it seems logical to use the Security Token Service (STS) certificate of this farm to Gateway.However, the farm that initiates the user for the Duet Enterprise request flow is authenticated thus the Security Token Service for the consuming farm needs to be hand over to the SAP admin.
Also share the SSL certificate off the load-balancer with the SAP administrator.