First, the APM portal feature is for web-based communications. It's highly unlikely that the RPC-over-HTTPS stuff would work. The main idea with a portal is that it rewrites links. Think of a typical HTTP request and response. The client does a GET or POST to a specific URL, and that URL responds with a bunch of HTTP headers and an HTML document. Inside that document you'll usually find a bunch of external references to other objects (images, CSS, JavaScript, etc.) that the browser client will dutifully fetch before rendering the page to the user. So there are TWO places where a server can implant URLs: HTTP headers and the HTML document. The APM portal will look through all of this data, find these URLs, and then rewrite them to values that force all subsequent requests through the same VIP. So for example, let's say you have an APM portal at portal.mycompany.com. That sits in front of an application, and that application sends back references to itself and another internal URLs in HTTP headers and the HTML payload.
img src="http://internal.domain.local/images/my_cat.png"
will get rewritten to something like
img src="https://portal.mycompany.com/f5-w-1234564334565/images/my_cat.png"
If the server spits out URLs for different servers inside the environment, APM portal will automatically rewrite those as well. This is one way to handle URL rewriting and requires no iRules, but as you mentioned earlier, it does incur a different licensing model. This, by the way, would automatically make web2 externally accessible (though you can block it).
In some cases you can get away with similar functionality with an iRule to 1) replace Host headers, 2) replace redirect Location headers, and 3) replace URLs in the response payload. Oddly it seems the only thing you need to do is to replace the Host header in the request, so you may not have to go through all of this trouble. The question then becomes, what do you want to do with the web2 URL references? If web2 isn't intended to be externally accessible, then the incorrect links should be fine. If you want web2 to be externally accessible, then you either need to do the APM portal thing, or create a separate LTM VIP for web and rewrite URL references to web2 in the HTTP responses to point web2 traffic at that VIP.