DirectAcces allows you to connect to your LAN transparently from the internet. It does this through UAG when you do not have a full IPv6 deployment.
DirectAccess checks whether or not it has access to your server identified as your network locator service, typically through the URL https://nls.domain.com. This is excluded from the NRPT table for external clients and the name is not published or made available over the internet. So, if you can connect to to this site then you must be internal, right ? That’s pretty much correct, unless you are not using IIS for your NLS web site. DirectAccess relies not only on a 200 response from the web server (connectivity) but also upon the receipt of a properly formatted page. Just opening the page in Internet Explorer may not indicate any issue with the page itself as IE may mask the issues to present the page.
The way to know whether or not the NRPT table is in use (and hence whether DirectAccess believes itself to be internal or external to the LAN) is to run the command
netsh namespace show effectivepolicy
From an administrative command prompt. If the workstation or laptop believes itself to be on the LAN then no table will be created and the output of the command will be similar to the below.
However, running the same command when the machine is internal will produce output similar to the below.
This indicates that the NRPT table is being created and, above, you can see two entries (one for the NLS server and one for the UAG device) which should not be passed to the internal network.
If you deploy DirectAccess and internal clients which are subject to the DirectAccess GPO begin to have difficulty connecting to resources while on the LAN it may be that they cannot correctly connect with the Network Location Server and therefore build their NRPT table and attempt to pass all traffic through the public interface of the UAG device. If this cannot be contacted then communications from the client will fail. If it can be contacted and large numbers of end points are affected, performance may suffer as multiple internal clients route through the external interface.
If you want to set the policy that could be applied to a client once it leaves the LAN, simply enter the command
netsh namespace show policy