if the port is no longer 443, which is quite unlikely but I have small suspicion on StartTLS else it is not doing standard SSL if there is no Hello as expected. Cant we assume them to negotiate SSL with F5 instead to break their direct SSL with the proxy server (option in Ultrasurf config?). Else block them in their DNS request to known Ultrasurf DNS server ... Remove the Ultrasurf cache files in user temp directories, if there is automated way to always do discovery req that can be blocked
Some past info, not usre for now on v10, in Ultrasurf versions 6.6 and 6.7, the connection travelled to port 443 but was not SSL. Beginning with version 8.8, Ultrasurf began to use what appears to be an anonymous SSL connection, where the server side does not respond with a certificate.