That is a little more challenging then. Are you not doing any load-balancing then? I would suggest a couple of things then - just create a Virtual server for Exchange on this instance and point it to a pool(of one Exchange server?). You don't need any persistence/advanced stuff - just standard virtual server and pool with HTTP profile enabled. Don't forget to turn on SNAT Automap on the Virtual. Then verify all modes of operation(OWA/ActiveSync/OA). It's probably highly unlikely that only one is going to be broken..... but if you can really isolate it to the OA only, then you would need to capture some traffic on the BIG-IP and perform SSLdump on it to see what is happening on the wire. Your goal is to successfully pass traffic through the BIG-IP first without having ASM enabled - and then turn it on on the selective traffic such as OWA/ActiveSync