I have a client that is wanting to use DA for their laptop users in the field but they have some fairly specific wants and they would like to know if they can get their cake and cookies while using ONLY port 443 open to the Internet.  I've been wading through a ton of info and some of it seems to contradict not only itself but what they are hearing from MS so I thought I'd post it up here and get a second opinion as to whether it's even possible.

The DA server(s) will be running Server 2012 R2 and will have 2 NICs, one in their private network (the "LAN" NIC) and one in their DMZ/perimeter network behind a 1:1 NAT.  The public IP that the NAT is set to does have a DNS entry that can be resolved from the Internet.  The private and DMZ networks are IPv4 only and their clients are expected to be on IPv4 only connections.  

Here's their want list:

• Support Windows 7, Windows 8/8.1 Clients
• Manage Out
• Force Tunneling

They want to start with a single DA server but eventually if the thing goes to production they want to have 2 of them in an NLB cluster.

My real questions are a) can this be done using ONLY port 443 inbound and b) if not what items on the "want" list may need to be sacrificed in order to get it going.  Thanks in advance for any help!

• Edited by Matt Br 18 hours 35 minutes ago