I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.
I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. Certificates from our domain CA (not the standalone ones for NAP) are used so Win7 clients can also connect. When the computer establishes a DirectAccess connection it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate).
Here's how the Connection Security Rules look on a client:
The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).
It appears these settings don't coexist all that well. If I go to my DA server and click "Enforce corporate compliance for DirectAccess with NAP" I have even less connectivity (unable to reach DA server from clients in DA...).
What am I doing wrong, are additonal logs, information needed to better assist me.