DirectAccess not working with client firewall profiles enabled

I've been trying to get DirectAccess working for quite some time now without success.

I've discovered that if i disable the windows private networks firewall profile on the client computer that i am able to connect to DA and ping internal corporate servers.  I've enabled logging of dropped packets on the client windows firewall and i see dropped UDP 53 packets.  So i've created an outbound rule to allow udp 53 and its still logged as dropped.   I've also allowed all outbound and i'm still unable to connect.  If i disable the windows private firewall profile on the client, DA connects immediately.

The DA server is setup as basic as it can be, with a single nic and self-signed certs.  The corporate firewall is allowing internal 443.  We have a GPO that disables the "domain networks" firewall profile otherwise defaults plus the changes made by the DA getting started wizard GPOs

Any help would be greatly appreciated!!

Edit:  Server Currently Server 2016.  I've tried multiple deployments of 2012.  Client is Windows 10 1607 enterprise
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Is the windows firewalls profile enabled for all profiles in your DA configuration?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eastmsAuthor Commented:
I had tested with all profiles enabled on the client but not the server.  So I just removed the GPO that disabled the 'domain networks' profile from the DA server and it appears to work!

I'll have to do some significant modification to our GPO since this policy is at the top-most OU.  Would it be ok to allow all on the Domain networks?  I read somewhere that DA did not like that setting
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Its been sometime since I was involved with setting DA in my last job, we had an issue that caused a massive issue for us so we ended up scrapping DA altogether.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Note that disabling the firewall puts it into a form of Limp Mode.

It's better to enable logging via GPO and set to ON for all profiles. Also, enable pop-up for outbound via GPO. With these settings the firewall is no longer the problem, reading the logs is.

Elevated CMD run:
sc config "NlaSvc"  start= delayed-auto
net stop NlaSvc && Net Start NlaSvc

The above sets Network Location Awareness to delay it's startup poll. Otherwise it locks things down in Public mode.
eastmsAuthor Commented:
Enabling all firewall profiles on the DA server ultimately resolved the issue.  Thanks!
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Good to hear your issue has been resolved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.