Hi Barkley
Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
Section Reads -
When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
ISATAPProtocol 41 inbound and outbound
TCP/UDP for all IPv4/IPv6 traffic
Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
"I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess servers internal network interface on the LAN unrestricted is the best configuration
in terms of supportability and provides the best user experience."
Kindest Regards