When connecting to the Federated Authentication Service, StoreFront can request a specific Rule by name. Different rules can map to different user groups and certificates.
A common deployment is to configure one set of StoreFront servers to handle users inside the office, and one set of StoreFront servers to handle external users connecting via Netscaler. By configuring StoreFront deployments to use different FAS Rules, the Federated Authentication Service can supply different certificates depending on whether users are currently inside or outside the corporate firewall.
If this policy is not configured, then StoreFront will ask for a rule named "default".