Forum Discussion
Based on your summary of the issue here I would suggest looking at Appendix E in the Exchange 2013 iAPP DG. The way this works in general for APM securing Exchange Web services is APM authenticates the client using NTLM/Forms by default for Exchange on the front end and then performs SSO auth on the backend. The outlook client uses NTLM for authentication as opposed to OWA, which is forms based. The Exchange iAPP builds out an SSO Form for OWA that maps the required parameters for APM SSO forms authentication on the backend. However, since Outlook clients use NTLM that means APM on the back end SSO side has to authenticate using Kerberos.
This requires some configuration within AD, Big-IP and potentially your exchange servers depending on if reverse DNS lookup will work for the Exchange CAS servers. Appendix E. in the Exchange 2013 iAPP DG covers this configuration.