I'm very happy with my multisite DirectAccess deployment so far. The last step is activating a manage out scenario. For this manage out scenario I have some trouble getting it working. Let explain the issue in more depth.
I've observed that the DA client gets two IPv6 addresses from the DA server irrespective of the setting 'Randomize Identifiers' in the global IPv6 setting on the DA client (netsh int ipv6 set global rand=dis|ena). The effect is that the DA client uses the temp IPv6 address to setup the IPsec tunnels to the DA server, but that only the normal IPv6 address is registered in the intranet DNS.
Therefore, in a manage out scenario a request is made to the normal IPv6 address of the DA client and there is no established IPsec tunnel yet. In other words you need to create on the DA client a specific Windows Firewall rule to allow IKE traffic inbound in order to establish an IPsec tunnel from the DA server to the DA client.
I cann't find any reference to this important step in any documentation. I remember vaguely that in Windows 10 the temp IPv6 address is by default not assigned to DirectAccess clients (*). So, the obvious question is, is what I observed correct and if so, how to disable that DirectAccess temp IPv6 address on a Windows 8/8.1 host.
Best Regards,
Stefaan