I have it working with AD only. We have several OWA servers behind a bigIP that are used for activesync. I setup a new web service on Firepass for activesync. I installed a Verisign certificate for the site. Note that Verisign now requires an intermediate certificate to work. Under Maintenance/URI-Customization I added an entry Microsoft-Server-ActiveSync set to activeSync authentication. For each master-group that will use Activesync in Protal Access:Web Applications:Master Group Settings turn on Proxy basic and NTLM auth using Firepass user logon form, and Auto-logon to Basic using Firepass user credentials and put in the domain. Add the Minimal Content-Rewriting Bypass entry for Firepass for /Microsoft-Server-ActiveSync* that points to your internal server. For the client set the hostname to the Firepass web service name, and supply the user NT authentication.
We have this working in a pilot mode now. We have been able to get it to work with most devices.
Given the way this works I am not sure if it is possible to map to multiple Exchange servers. You may want to try using different master groups with different minimum content Rewriting pointing to different servers. Exchange also may provide a way of having a single front end server talk to multiple Exchange servers.
I am using radius authentication with this process. As long as the user ID and password match the AD login it should work.