Been testing DirectAccess for a while and recently implemented an HRA, CA and a NPS server. The HRA/CA/NPS roles are installed onto a single server. For testing purposes i havent enabled the option named :
-enforce corporate compliance for DirectAccess with NAP
-Havent added the HRA server to the management servers
Without the options configured in DirectAccess all seems to be working fine, health is validated on the client and they receive health certificates.
But once i add the ipadres of FQDN name of the HRA server to the management server on the DA server the client fails to retreive health certificates. The strange thing is, i can ping the HRA server and browse to the IIS site configured for HRA.
So it seems it has something to do with the tunnel (Management tunnel?)
Configuration :
-NPS, HRA and CA role are configured on one server, internal
-HRA is NOT externally published
-DA is configured behind a NAT device
-Windows 7 clients are used
-Computer authentication using computer certificates is configured
Unfortunately there's not much information to be found about NAP and DA 2012 and how to troubleshoot it.
(Only found this document to verify management tunnels : http://technet.microsoft.com/en-us/library/ee844097(v=ws.10).aspx, but this applies to 2008R2 and i cannot find any other documentation)