From MobileIron: "Standalone Sentry serves as an intelligent gatekeeper to the ActiveSync server. It uses the ActiveSync protocol to communicate with the ActiveSync server and with the ActiveSync devices."
Essentially, a MobileIron app sits on the mobile device and is pointed to the MobileIron Sentry device. This Sentry device is in the DMZ and passes the information to the Exchange iApp using ActiveSync over 443. This configuration works fine using the manually created virtual servers, but doesn't work with the iApp. On the external F5 appliance, there is a virtual server that answers all Exchange requests. It points those to an APM 'portal' where the user gets authenticated with username and password, then uses Symantec VIP for two-factor. Once authenticated, the traffic gets passed to the internal F5 device where the Exchange iApp is deployed (along with the old Exchange VS). The only thing that changes in this scenario is the internal VS that the traffic gets passed to.
Old way: Mobile Device -> Ext F5 -> APM for authentication -> Internal F5 w/created VS
New way: Mobile Device -> Ext F5 -> APM for authentication -> Internal Exchange F5 iApp