Connected internally, DirectAccess clients see the server and detect that they are connected locally. However external clients are unable to fully connect and access internal recourses when connecting remotely.
I have the DirectAccess server included in the NRPT exemption table.
Here are the logs from an internal test using the DirectAccess Client Troubleshooter Tool:
[4/24/2014 9:24:21 AM]: In worker thread, going to start the tests.
[4/24/2014 9:24:21 AM]: Running Network Interfaces tests.
[4/24/2014 9:24:21 AM]: Wi-Fi 3 (Broadcom 802.11n Network Adapter): fe80::b56f:4759:cc6a:288f%22;: 10.106.1.164/255.255.255.0;
[4/24/2014 9:24:21 AM]: Default gateway found for Wi-Fi 3.
[4/24/2014 9:24:21 AM]: Wi-Fi 3 has configured the default gateway 10.106.1.1.
[4/24/2014 9:24:21 AM]: Default gateway 10.106.1.1 for Wi-Fi 3 replies on ICMP Echo requests, RTT is 6 msec.
[4/24/2014 9:24:21 AM]: Received a response from the public DNS server (8.8.8.8), RTT is 5 msec.
[4/24/2014 9:24:32 AM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
[4/24/2014 9:24:32 AM]: Running Inside/Outside location tests.
[4/24/2014 9:24:32 AM]: NLS is https://DirectAccess-NLS.mydomain.com:62000/insideoutside.
[4/24/2014 9:24:33 AM]: NLS is reachable via HTTPS, the client computer is connected to the corporate network (internal).
[4/24/2014 9:24:33 AM]: NRPT contains 3 rules.
[4/24/2014 9:24:33 AM]: Found (unique) DNS server: fd36:30ab:8526:3333::1
[4/24/2014 9:24:33 AM]: Send an ICMP message to check if the server is reachable.
[4/24/2014 9:24:44 AM]: DNS Server fd36:30ab:8526:3333::1 does not reply on ICMP Echo requests.
[4/24/2014 9:24:44 AM]: Running IP connectivity tests.
[4/24/2014 9:24:44 AM]: The 6to4 interface service state is default.
[4/24/2014 9:24:44 AM]: Teredo inferface status is offline.
[4/24/2014 9:24:44 AM]: The configured DirectAccess Teredo server is win8.ipv6.microsoft.com..
[4/24/2014 9:24:44 AM]: The IPHTTPS interface is operational.
[4/24/2014 9:24:44 AM]: The IPHTTPS interface status is IPHTTPS interface not installed..
[4/24/2014 9:24:44 AM]: Teredo is used as IPv6 transition technology.
[4/24/2014 9:24:44 AM]: The configured IPHTTPS URL is https://da.mydomain.com:443.
[4/24/2014 9:24:44 AM]: IPHTTPS has a single site configuration.
[4/24/2014 9:24:44 AM]: IPHTTPS URL endpoint is: https://da.mypublicdomain.com:443.
[4/24/2014 9:24:45 AM]: Successfully connected to endpoint https://da.mypublicdomain.com:443.
[4/24/2014 9:24:45 AM]: Received response from mydomain.com, RTT is 1 msec.
[4/24/2014 9:24:45 AM]: Running Windows Firewall tests.
[4/24/2014 9:24:45 AM]: Warning - the current profile of the Windows Firewall is Domain.
[4/24/2014 9:24:45 AM]: The Windows Firewall is enabled in the current profile Domain.
[4/24/2014 9:24:45 AM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled.
[4/24/2014 9:24:45 AM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled.
[4/24/2014 9:24:45 AM]: Running certificate tests.
[4/24/2014 9:24:45 AM]: Found 1 machine certificates on this client computer.
[4/24/2014 9:24:45 AM]: Checking certificate CN=Jeremys-WTG.mydomain.com with the serial number [1000000088F2B41BA6CD71046F000000000088].
[4/24/2014 9:24:45 AM]: The certificate [1000000088F2B41BA6CD71046F000000000088] contains the EKU Client Authentication.
[4/24/2014 9:24:45 AM]: The trust chain for the certificate [1000000088F2B41BA6CD71046F000000000088] was sucessfully verified.
[4/24/2014 9:24:45 AM]: Running IPsec infrastructure tunnel tests.
[4/24/2014 9:24:45 AM]: Successfully connected to domain sysvol share, found 57 policies.
[4/24/2014 9:24:45 AM]: Running IPsec intranet tunnel tests.
[4/24/2014 9:24:57 AM]: Failed to connect to fd36:30ab:8526:1000::1 with status TimedOut.
[4/24/2014 9:25:09 AM]: Failed to connect to fd36:30ab:8526:1000::2 with status TimedOut.
[4/24/2014 9:25:09 AM]: Successfully reached HTTP probe at http://directaccess-WebProbeHost.mydomain.com.
[4/24/2014 9:25:09 AM]: Running selected post-checks script.
[4/24/2014 9:25:09 AM]: No post-checks script specified or the file does not exist.
[4/24/2014 9:25:09 AM]: Finished running post-checks script.
[4/24/2014 9:25:09 AM]: Finished running all tests.
And here are the External test results:
[4/24/2014 9:30:23 AM]: In worker thread, going to start the tests.
[4/24/2014 9:30:23 AM]: Running Network Interfaces tests.
[4/24/2014 9:30:23 AM]: Wi-Fi 3 (Broadcom 802.11n Network Adapter): fe80::b56f:4759:cc6a:288f%22;: 192.168.137.253/255.255.255.0;
[4/24/2014 9:30:23 AM]: Default gateway found for Wi-Fi 3.
[4/24/2014 9:30:23 AM]: Teredo Tunneling Pseudo-Interface (Teredo Tunneling Pseudo-Interface): 2001:0:5ef5:79fd:467:ef28:b93e:7232;: fe80::467:ef28:b93e:7232%7;
[4/24/2014 9:30:23 AM]: No default gateway found for Teredo Tunneling Pseudo-Interface.
[4/24/2014 9:30:23 AM]: iphttpsinterface (iphttpsinterface): fd36:30ab:8526:1000:aa:e8a0:ac6d:2085;: fd36:30ab:8526:1000:9ddc:93e9:1a0e:1298;: fe80::aa:e8a0:ac6d:2085%29;
[4/24/2014 9:30:23 AM]: No default gateway found for iphttpsinterface.
[4/24/2014 9:30:23 AM]: Wi-Fi 3 has configured the default gateway 192.168.137.1.
[4/24/2014 9:30:23 AM]: Default gateway 192.168.137.1 for Wi-Fi 3 replies on ICMP Echo requests, RTT is 3 msec.
[4/24/2014 9:30:23 AM]: Received a response from the public DNS server (8.8.8.8), RTT is 84 msec.
[4/24/2014 9:30:23 AM]: The public DNS Server (2001:4860:4860::8888) does not reply on ICMP Echo requests, the request or response is maybe filtered?
[4/24/2014 9:30:23 AM]: Running Inside/Outside location tests.
[4/24/2014 9:30:23 AM]: NLS is https://DirectAccess-NLS.mydomain.com:62000/insideoutside.
[4/24/2014 9:30:23 AM]: NLS is not reachable via HTTPS, the client computer is not connected to the corporate network (external) or the NLS is offline.
[4/24/2014 9:30:23 AM]: NRPT contains 3 rules.
[4/24/2014 9:30:23 AM]: Found (unique) DNS server: fd36:30ab:8526:3333::1
[4/24/2014 9:30:23 AM]: Send an ICMP message to check if the server is reachable.
[4/24/2014 9:30:23 AM]: DNS server fd36:30ab:8526:3333::1 is online, RTT is 73 msec.
[4/24/2014 9:30:23 AM]: Running IP connectivity tests.
[4/24/2014 9:30:23 AM]: The 6to4 interface service state is default.
[4/24/2014 9:30:23 AM]: Teredo inferface status is online.
[4/24/2014 9:30:23 AM]: The configured DirectAccess Teredo server is win8.ipv6.microsoft.com..
[4/24/2014 9:30:23 AM]: The IPHTTPS interface is operational.
[4/24/2014 9:30:23 AM]: The IPHTTPS interface status is IPHTTPS interface active.
[4/24/2014 9:30:23 AM]: IPHTTPS is used as IPv6 transition technology.
[4/24/2014 9:30:23 AM]: The configured IPHTTPS URL is https://da.mypublicdomain.com:443.
[4/24/2014 9:30:23 AM]: IPHTTPS has a single site configuration.
[4/24/2014 9:30:23 AM]: IPHTTPS URL endpoint is: https://da.mypublicdomain.com:443.
[4/24/2014 9:30:24 AM]: Successfully connected to endpoint https://da.mypublicdomain.com:443.
[4/24/2014 9:30:35 AM]: No response received from mydomain.com.
[4/24/2014 9:30:35 AM]: Running Windows Firewall tests.
[4/24/2014 9:30:35 AM]: The current profile of the Windows Firewall is Public.
[4/24/2014 9:30:35 AM]: The Windows Firewall is enabled in the current profile Public.
[4/24/2014 9:30:35 AM]: The outbound Windows Firewall rule Core Networking - Teredo (UDP-Out) is enabled.
[4/24/2014 9:30:35 AM]: The outbound Windows Firewall rule Core Networking - IPHTTPS (TCP-Out) is enabled.
[4/24/2014 9:30:35 AM]: Running certificate tests.
[4/24/2014 9:30:35 AM]: Found 1 machine certificates on this client computer.
[4/24/2014 9:30:35 AM]: Checking certificate CN=Jeremys-WTG.mydomain.com with the serial number [1000000088F2B41BA6CD71046F000000000088].
[4/24/2014 9:30:35 AM]: The certificate [1000000088F2B41BA6CD71046F000000000088] contains the EKU Client Authentication.
[4/24/2014 9:30:35 AM]: The trust chain for the certificate [1000000088F2B41BA6CD71046F000000000088] was sucessfully verified.
[4/24/2014 9:30:35 AM]: Running IPsec infrastructure tunnel tests.
[4/24/2014 9:30:36 AM]: Failed to connect to domain sysvol share \\mydomain.com\sysvol\mydomain.com\Policies.
[4/24/2014 9:30:36 AM]: Running IPsec intranet tunnel tests.
[4/24/2014 9:30:36 AM]: Successfully reached fd36:30ab:8526:1000::1, RTT is 148 msec.
[4/24/2014 9:30:36 AM]: Successfully reached fd36:30ab:8526:1000::2, RTT is 149 msec.
[4/24/2014 9:30:36 AM]: Failed to connect to HTTP probe at http://directaccess-WebProbeHost.mydomain.com.
[4/24/2014 9:30:36 AM]: Running selected post-checks script.
[4/24/2014 9:30:36 AM]: No post-checks script specified or the file does not exist.
[4/24/2014 9:30:36 AM]: Finished running post-checks script.
[4/24/2014 9:30:36 AM]: Finished running all tests.
Also, I've run some NetSH commands to gather additional info. These were run while connected externally.
C:\>netsh dns show state
Name Resolution Policy Table Options
--------------------------------------------------------------------
Query Failure Behavior : Always fall back to LLMNR and NetBIOS
if the name does not exist
in DNS or
if the DNS servers are
unreachable
when on a private network
Query Resolution Behavior : Resolve only IPv6 addresses for names
Network Location Behavior : Let Network ID determine when Direct
Access settings are to
be used
Machine Location : Outside corporate network
Direct Access Settings : Configured and Enabled
DNSSEC Settings : Not Configured
C:\>netsh namespace show policy
DNS Name Resolution Policy Table Settings
Settings for DirectAccess-NLS.mydomain.com
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) :
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Use default browser settings
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)
Settings for .win2k12-da
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) : fd36:30ab:8526:3333::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)
Settings for .www.mydomain.com
----------------------------------------------------------------------
DNSSEC (Certification Authority) :
DNSSEC (Validation) : disabled
DNSSEC (IPsec) : disabled
DirectAccess (Certification Authority) :
DirectAccess (DNS Servers) : fd36:30ab:8526:3333::1
DirectAccess (IPsec) : disabled
DirectAccess (Proxy Settings) : Bypass proxy
Generic (DNS Servers) :
Generic (VPN Trigger) : disabled
IDN (Encoding) : UTF-8 (default)
C:\>netsh interface teredo show state
Teredo Parameters
---------------------------------------------
Type : client
Server Name : win8.ipv6.microsoft.com.
Client Refresh Interval : 30 seconds
Client Port : unspecified
State : qualified
Client Type : teredo host-specific relay
Network : unmanaged
NAT : restricted
NAT Special Behaviour : UPNP: No, PortPreserving: No
Local Mapping : 192.168.137.253:58266
External NAT Mapping : PUBLIC IP:4311
C:\>netsh interface httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
------------------------------------------------------------
Role : client
URL : https://da.mydomain.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
C:\>