WSAM/JSAM config is quite easy. You could also use NC if you wanted. I suppose elegance is an opinion.

Clientless Active Sync works well and is easy to setup. I believe you must have IVE OS 6.2r1 or greater:

Please note the following:

* Supports Windows Mobile 5.0 and 6.0 only
* Supports Exchange Server 2003 and 2007
* Both NTLM & Basic Auth on the Exchange server are supported
* Both HTTP and HTTPS between IVE and Exchange server are supported
* If the IVE is used for OWA & Activesync, the hostnames for OWA access and Activesync must be different
* No endpoint checking is supported.

To configure the IVE as a reverse proxy for use with Activesync:

1. In the admin console, choose Authentication > Signing In > Sign-in Policies.
2. To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.
3. In the Virtual Hostname field, enter the name that maps to the IVEÕs IP address. The name must be unique among all virtual host names used in pass-through proxyÕs hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, http in this field.

For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 via the IVE is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.
4. In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.

When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.
5. Enter a Description for this policy (optional).
6. Select No Authorization from the Authorization Server drop down menu.
7. Select a user role from the Role Option drop down menu.

Only the following user role options are applicable for Autosync.
* HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)
* Allow browsing un-trusted SSL websites (Users > User Roles > RoleName > Web > Options > View advanced options)
* Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
* Browser restrictions (Users > User Roles > RoleName > General > Restrictions)

Thank you for your great answer! I was not aware of the "authorization only access".

I know I could make RPC over HTTPS work with SAM, but I was wondering is it was possible to have outlook trigger the logon directely without having to make as a "authorization only access".

That is if it is possible to provide SSO to Outlooks :-)

Clientless Outlook anywhere would be amazing. Does anyone know how we can set this up with an SA appliance?