Good idea for troubleshooting ! And so useful, we have a result.
Created a VS with a dedicated IP. Standard, http, automap, client/server ssl profiles, default pool to exchange. Everything else default, no policy, no irule, no asm. New public IP, firewall rule, I can reach the server from outside. Play with hosts file And... it is working ! Both MS connectivity test and outlook.
So what's so different with my previous VS ? Same settings on VS, only one is using ressources (policy and irules). I was quite confident in those and it seems I am right. There is one thing that is enabled there and not on my test VS: Analytics ! switching it on/off triggers the failure/resolution on both VS...
Concerning the fact not having LTM: yes we have a small deployment with some standard MS apps (Exchange and Lync) for a few users and mobile population. Then we have internally developed and hosted web applications, for mobile employees, b2b and b2c, quite tight to our business data on both Apache and IIS. All-in-all the traffic stays quite low so no need for huge clusters and LB. We want to secure what goes public, no internal trafic, bigip acts as a web application firewall (currently another product based on apache). As for HA, we rely on underlying VM and SAN infrastructure which is pretty solid and redundant, that's enough for us we can afford a downtime in case of disaster/hw failure.
I have enabled unlicensed LTM on my VE just to be able to start an iApp config, and yes it looks awesome. But I cannot save it since it is not licensed, it won't allow me to do that. I don't know if we're ready to pay just to get iApp but F5 was sold to us as "supporting enterprise apps easily with templates" and now we lack them...maybe we can export security policies for Exchange and lync modules from an existing iApp deployment. Deploying a simple ASM policy on IIS/XML signatures template still triggers lots of false positive on ASM for those.
Anyway thanks again for your support, one reason going to F5 was getting more support, user feedbacks and community, that's already proven.