AD Authentication for BusinessObjects running in the HEC

Hi,

one of our customers operates his SAP systems incl. BI 4.2 (Linux) in the HANA Enterprise Cloud. Now he likes to implement manual AD authentication (WinAD) to LaunchPad and SSO to BW/DB based on STS and Assertion Tickets. I have done this setup several times, however not for systems running in HEC. Especially I am concerned about how to connect to the customers on premise AD from BI4 HEC system. In my understanding, HEC is to be considered as private cloud and should act as if inside firewall

Has anyone experiences with that, would be great to learn if there are any restrictions to consider for that scenario? Thanks!