The apm module provides the ica proxy functionality to replace either secure gateway or access gateway for your remote users. Eliminating the need to provide extra firewall holes to internal application servers hosting applications that external users are trying to run applications from.
APM performs pre authentication of user/clients against active directory or other AAA server configured to verify a user can first be authenticated. It then can provide either SSO to internal web interface servers or replace them by passing user credentials to the XML broker to then collect the applications the user is authorized to access.
Apm then returns the listed applications back to the clients browser or receiver client so then can click an application and start using it via ica proxy without any VPN or additional firewall holes by riding the ica traffic over the original ssl connection through apm.
Hope that helps.