NimbostratusF5 NTLM Machine Account/Kerberos Constrained Delegation
We have successfully deployed the exchange 2013 iApp using Kerberos constrained delegation. We followed the template version 1.6.0.
We have a firewall between our F5's that sit on the edge, and the F5's that sit internally that run LTM. We also have a firewall between those same edge F5's and our active directory environment.
We have found that we need to allow port 445 from our edge F5's to our AD enviornment (specifically, the IP we have assigned to the Kerberos realm in the iApp and/or the computer we have told APM to make the machine account on). If I deny this port, outlook anywhere will continue to function for a little while, but eventually break. Allowing this port once again, immediately resolves the issue.
When I do a capture while the port is open, I see a ton of messages from the AD server saying "NBSS Continuation Message" and the F5 just ACK's the response.
Im looking for help finding some documentation on what is needed to be opened and why, or at least help explaining this flow, as our IT security team isn't very fond of opening this port if we can avoid it.
