Forum Discussion
mengler_136249
Nimbostratus
NimbostratusF5 NTLM Machine Account/Kerberos Constrained Delegation
We have successfully deployed the exchange 2013 iApp using Kerberos constrained delegation. We followed the template version 1.6.0.
We have a firewall between our F5's that sit on the edge, and the F5's that sit internally that run LTM. We also have a firewall between those same edge F5's and our active directory environment.
We have found that we need to allow port 445 from our edge F5's to our AD enviornment (specifically, the IP we have assigned to the Kerberos realm in the iApp and/or the computer we have told APM to make the machine account on). If I deny this port, outlook anywhere will continue to function for a little while, but eventually break. Allowing this port once again, immediately resolves the issue.
When I do a capture while the port is open, I see a ton of messages from the AD server saying "NBSS Continuation Message" and the F5 just ACK's the response.
Im looking for help finding some documentation on what is needed to be opened and why, or at least help explaining this flow, as our IT security team isn't very fond of opening this port if we can avoid it.
ActiveSync clients use NTLM credential authentication for some protocols. In order to support this, APM uses "Passthrough Authentication" which requires SMB, which requires port 445. Unfortunately it's technically not feasible to support all ActiveSync clients without it.
mengler_136249Whats odd, is that we had this iApp deployed 2 years ago with only OWA and Async flowing through it. Now we spun up another instance on a new VIP which will include all three (adding Outlook Anywhere). With the old deployment, we haven't allowed 445 to our AD environment.
Either way, this is some good info and ill take this our our systems guys and IT security.
