Best practice would be to enable APM functionality on a separate virtual server and use split DNS. That is, if currently your users go to https://mail.contoso.com, then you'd want to setup that name to resolve to your existing VIP internally and to your newly-created VIP externally. By deploying this you avoid any potential negative interactions with Autodiscover and Kerberos authentication issues internally, conserve APM resources to protect access only for untrusted(external) access, and completely separate internal and external configuration for ease of troubleshooting, change management, and administration.
Regarding 3, I'd still recommend doing your own load-balancing for external users - remember that load-balancing happens on the pool level, not on the virtual server level - so if you point your newly-created virtual server to the same pool of CAS servers, the same load-balancing and metrics would be used - no need to point it to the virtual on the same LTM, it will only slow down the communication process - and you don't want to do that. :)
Hope this works out for you, and please post your feedback on the solution and any further questions that you might have.