APM VPE Exchange 2016

Hello,

could someone please explain me in detail how the EVP works, I use the classic VPE from the exchange 2016 iApps:

If a client do ActiveSync > MS Exchange Fallback > then do basic authentication on the front end without SSO configuration on the backend

If a client do OWA > > MS Exchange Fallback > then use the the select_sso_irule that use form based sso, and it doesn't use kerberos sso configuration, right ?

Now that's when I have trouble understanding,

For EWS, OAB, Autodiscover we have Front End Authentication "BASIC-NTLM" with Kerbeross SSO on backends

If a client do Autodiscover, EWS, OAB, > MS Exchange successfull > in which case the NTLM check will not work, if a client uses a computer out of domain? right ?

> then it go fallback and challenge the client to authenticate with kerbeross sso? right ?

But in which case clients will do basic ?

There's something I don't understand here, if someone can explain me how it's works with as scenario a PC in the domain and one outside who want to do Outlook Anywhere/Autodiscover with APM

Thanks!!