Forum Discussion
May 11, 2016
We ran into this and for the Kerberos AAA feature at least, we just specify the IP of the KDC in the Kerberos AAA agent, and let the traffic flow out of a RD0 VLAN that has access to the customer environment. We don't break the strict isolation feature in this case.
We enhance this by using a wildcard VIP whose pool members are multiple KDCs in the customer environment. You point the Domain Controller FQDN field to this IP. I haven't tested the NTLM portion, you may need a hosts file entry to represent the internal IP for the VIP.