I have a Windows Server 2012 R2 Standard server on the internal network with a single adapter, and have installed the "Remote Access" role, then the "DirectAccess and VPN (RAS)" role service.
I then used the "Run the Getting Started Wizard" and accepted the default/correctly detected "behind an edge device (with a single network adapter".
Everything completed successfully.
The "Remote Access Dashboard" shows all green ticks.
C:\>netstat -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:443 [servername]:0 LISTENING
... so the server is listening for IP-HTTPS on port 443.
My colleagues have configured network address translation from the public IPv4 address to the internal IPv4 address, and added a DNS record in the public DNS server.
GPRESULT shows the DirectAccess server has received and applied the "DirectAccess Server Settings" policy.
HOWEVER, if I try to test if the port is available on the Internet, for example using http://mxtoolbox.com/PortScan.aspx, then it is closed.
Similarly, telnet from an intranet client to the DirectAccess server's port 443 fails.
A closer look at "Windows Firewall with Advanced Security > Inbound Rules" shows rules called "Core Networking - IPHTTPS (TCP-In) that are enabled and allow traffic. One appears to be "local", and one is from the "DirectAccess Server Settings" group policy. If I examine either rule, then look at the Advanced tab, there is an "Edge traversal" section, and both rules are set to "Block edge traversal".
I haven't seen references to this anywhere, except one or two references associated to 2008 R2
Configure Packet Filters to Allow Management Traffic to DirectAccess Clients
I think that Edge Traversal should be enabled, but am surprised that it is not; there is no mention of this anywhere, and everything else appears to have been configured correctly. Am I OK to enable it?
Is this because I deployed DirectAccess, before I had configured NAT and added the DNS record?
Thanks in advance.