We recently ran into a similar request to create a more intelligent health monitor which looks for a string of text from within sharepoint that required NTLM authentication. Here are a couple of items that might help depending on which version of F5 you are running. If you are running v11.1 or later the out-of-the-box HTTP monitors now support NTLM authentication so I would recommend that. If you are running something a little older, you may need to create a custom external monitor and leverage CURL so I have included a sample for it as well.
Notes:
1) X-FORMS_BASED_AUTH_ACCEPTED: f -- found to be required for Sharepoint after reading http://msdn.microsoft.com/en-us/library/hh124553%28v=office.14%29.aspx
2) username testuser@mydomain.com instead of the \testuser as suggested in http://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.html as the latter resulted in our test account becoming locked out
ltm monitor http sharepoint-NTLM {
defaults-from http
destination *:*
interval 30
password "Password01"
recv MyTestText
send "GET /portal/Pages/default.aspx HTTP/1.1\\r\\nX-FORMS_BASED_AUTH_ACCEPTED: f\\r\\nHost: sharepoint.mydomain.com"
time-until-up 0
timeout 91
username testuser@mydomain.com
}
Curl Samples that show how to test individual node IPs for a sharepoint site using Host-Headers:
curl --ntlm -k -v --header "X-FORMS_BASED_AUTH_ACCEPTED: f" --user 'testuser@mydomain.com:!Password01' http://10.10.10.10:80/portal/Pages/default.aspx -H "Host: sharepoint.mydomain.com"
curl --ntlm -k -v --header "X-FORMS_BASED_AUTH_ACCEPTED: f" --user 'testuser@mydomain.com:!Password01' http://10.10.10.11:80/portal/Pages/default.aspx -H "Host: sharepoint.mydomain.com"