Absolutely crazy that this wasn't answered sooner. As Kunjan alludes, clientless mode would indeed be a solution for web services authentication proxy with APM. The idea behind clientless mode, which I do believe was available in v10, is to disable the APM session redirects. In a normal APM session, the first request is met with a redirect to /my.policy and a Set-Cookie with the initial MRHSession token. Subsequent requests bounce back and forth between the client and APM while the visual policy is being evaluated. At the end of that evaluation, the session is marked "allow" and a final redirect sends the client back to the originally-requested URI. Clientless mode not only disables these book-ended redirects, but also injects the session token in the first response from the server/application. This does have a few implications though. First and foremost, you cannot use any agents that interrupt the flow of traffic, like a message box or logon form. This shouldn't be an issue with web services, but something to keep in mind nonetheless. Second, APM is still going to send back a session cookie so that subsequent requests don't require VPE evaluation. If the web services agent does not support cookies, then each request will amount to a separate APM session. This can have implications in your APM concurrency limits. In a situation like this, you may want to consider lowering APM session idle time so that they don't stick around unnecessarily for the default 900 seconds. And finally, browser-based authentication is typically an interactive mechanism (logon page, credential entry, certificate selection, etc.), and APM is specifically designed to handle these types of authentication. In the absence of interaction though, like with a web services connection, you may necessarily need to alter the way APM collects identity and credential information, and that'll depend on how you're authenticating the web services agent.