Hi There - The DirectAccess Server (in different of configuration) requires full access to all internal resources.
So for example if you have an internal firewall behind the DA Server a recommended practise I have used is to allow a rule allow the DA Server Access to internal resources. For example allow internal IP of DA Server to all VLAN's behind operating services
and also apply the correct static routes to the DA Server to provide network routing.
Internal IP of the DA Server ---> allow all traffic to selected VLAN's
The above rule is restricting traffic from the DA Server to the required VLAN's / Networks you specify, The reasoning being is that Direct Access requires full connectivity to your apps / infrastructure unless you want to create Firewall Rules for every
application and port. The suggested answer limits the DirectAccess Server Internal IP full access only to internal resources. A good example of opening ports on the backend Firewall for each application (and the difficulties you may encounter) would be
something like Active Directory Certificate Services which uses a full RPC high port range (TCP/IP) unless limited to a specific port.
See this link as an example if you go down the individual application firewall rules. -
http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
Kr