DirectAccess – The adapter configured as external-facing is connected to a domain!
Server side DirectAccess requires one network adapter to be configures as external with the Public or Private profile to apply the Connection Security rules. With the security connection rules in place the DirectAccess server will be able to offer IPSec authentication and tunneling to the clients.
Recently I was involved in a customer case where the DirectAccess server decided to change the external-facing interface to the domain profile, this caused the server to deactivate all security connection rules and the whole DirectAccess solution to stop working.
Now the decision about the profile type for a network interface in Windows is handled by the Network Location Awareness NLA service. The NLA probes for the possibility to reach the servers domain and if a connection is successful the profile will change to domain and the interface will be categorised as "Intranet Authenticated" according to NLA.
The solution or rather said the reason for the sudden change in the specific customer case was firewall related. The firewall was configured to allow traffic from DMZ, where the DirectAccess server external interface was connected, to the internal domain network, this caused NLA to "see" the domain over the external interface and…. So the solution was simply to configure a deny rule prohibiting the DirectAccess server external IP from accessing internal resources and all was back to normal again!
The following registry location is good help when troubleshooting NLA related problems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
/Hasain
