DirectAccess not working with client firewall profiles enabled

I've been trying to get DirectAccess working for quite some time now without success.

I've discovered that if i disable the windows private networks firewall profile on the client computer that i am able to connect to DA and ping internal corporate servers.  I've enabled logging of dropped packets on the client windows firewall and i see dropped UDP 53 packets.  So i've created an outbound rule to allow udp 53 and its still logged as dropped.   I've also allowed all outbound and i'm still unable to connect.  If i disable the windows private firewall profile on the client, DA connects immediately.

The DA server is setup as basic as it can be, with a single nic and self-signed certs.  The corporate firewall is allowing internal 443.  We have a GPO that disables the "domain networks" firewall profile otherwise defaults plus the changes made by the DA getting started wizard GPOs

Any help would be greatly appreciated!!

Edit:  Server Currently Server 2016.  I've tried multiple deployments of 2012.  Client is Windows 10 1607 enterprise
LVL 1
eastmsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Is the windows firewalls profile enabled for all profiles in your DA configuration?

https://technet.microsoft.com/en-us/library/dn464273(v=ws.11).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eastmsAuthor Commented:
I had tested with all profiles enabled on the client but not the server.  So I just removed the GPO that disabled the 'domain networks' profile from the DA server and it appears to work!

I'll have to do some significant modification to our GPO since this policy is at the top-most OU.  Would it be ok to allow all on the Domain networks?  I read somewhere that DA did not like that setting
0
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Its been sometime since I was involved with setting DA in my last job, we had an issue that caused a massive issue for us so we ended up scrapping DA altogether.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Note that disabling the firewall puts it into a form of Limp Mode.

It's better to enable logging via GPO and set to ON for all profiles. Also, enable pop-up for outbound via GPO. With these settings the firewall is no longer the problem, reading the logs is.

Elevated CMD run:
sc config "NlaSvc"  start= delayed-auto
net stop NlaSvc && Net Start NlaSvc

The above sets Network Location Awareness to delay it's startup poll. Otherwise it locks things down in Public mode.
0
eastmsAuthor Commented:
Enabling all firewall profiles on the DA server ultimately resolved the issue.  Thanks!
1
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Good to hear your issue has been resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.