Certificate as second factor for ActiveSync

Your approach to implementing a client-certificate check for ActiveSync on your F5 load balancer in front of an Exchange 2016 Cluster sounds reasonable. However, the success of this setup largely depends on whether the Exchange ActiveSync (EAS) client can present a certificate when requested by F5. In a typical setup, the EAS client does not present a certificate unless it's explicitly configured to do so. This configuration is usually done on the Exchange server, not on the F5 device. When the Exchange server is configured for certificate-based authentication (CBA), the EAS client will present a certificate during the SSL/TLS handshake process. In your case, you want the client to present a certificate when requested by the F5 device, not by the Exchange server. This scenario is less common and may not work as expected unless the EAS client is configured to present a certificate regardless of the server requesting it.