Two Way Authentication Into Salesforce?

If I understand you correctly, you want to make web service callouts from Salesforce org to your legacy apps behind the mediator. You will only need Two-Way SSL when making web service callouts from Salesforce org to external systems. See Making Authenticated Web Service Callouts Using Two Way SSL. You can install Apache HTTP server on your mediator and use it as a revers proxy to delegate requests to appropriate legacy apps. The Apache HTTP server deals with SSL configuration. You will need to install your external system's domain certificate on Apache server. Also you need to generate the certificate for Salesforce on the Apache server and upload the certificate back to the Salesforce org.