With the advent of Windows Vista Microsoft substantially improved their embedded Windows firewall. As policy I ALWAYS enable Windows firewall since this is an excellent addition to a defense-in-depth strategy.
One of the many changes was the introduction of the concept of a “Network Location”. The idea is that you have a notebook that travels from an office using the “Domain” profile then that notebook stops by the local coffee shop and the firewall converts to “Pubic” rules. Finally the notebook makes it to the house and is on the “Private” profile.
Each firewall location normally has a different set of firewall rules to support it’s ability to access resources and still adequately protect that system from threats in the current environment.
Coupled with DirectAccess the roaming client determines where the client is in relation to the network accessed by DirectAccess using an NLS (Network Location Server). If the client in it’s current environment CAN NOT access the NLS server then it connects to the network using DirectAccess. If the client CAN see the NLS server then it decides that it is on the domain network so does not try to connect to VPN since this would be undesireable.
The NLS server is really just a website that is hosted inside of the network that is NEVER published outside. If the client can see the website then it is in “Domain” profile.
One architectural step that is commonly skipped is having a highly available NLS website. Things work fine when the site is up but when say patches are applied to the individual web server then all DA clients on the network decide that they aren’t online while the server is bounced.
It seems like overkill but trust me, it’s worth having the web server running in a highly available configuraation (normally Network Load Balanced) for the NLS to always work right. Make sure that patch schedules accomodate at least one of the servers staying online at all times.
Enjoy your environment and remember that it’s never too late to convert that NLS server to HA.