Hi Steve,
I'd suggest configuring a single port VIP (VIP:80 -> pool:80) to restrict clients to just the port that is required. If you do end up needing HTTPS access, you can configure a second VIP on 443 pointing to the same HTTP pool. Having a separate VIP per service makes it easy to tailor the profiles for the required protocols.
Apparently there are issues with OneConnect and NTLM so I think you're right to not use OneConnect.
You should be able to configure source address (with a /32 mask) or cookie insert persistence to persist either individual client IP addresses or client browser sessions. Destination address persistence is more suited for load balancing cache servers or external links--not web applications. Destination address persistence creates a persistence record on the BIG-IP based on the client's destination address. So all clients would be persisted to the same pool member if they're all requesting the same VIP address. The persistence record is stored on the BIG-IP for the configured timeout length, so there is nothing the client can do to force re-selection of the pool member.
Hope this helps,
Aaron