https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/157025#M51546 <P>DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA).&nbsp; As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)?</P><P>&nbsp;</P><P>You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow? &nbsp;</P><P>&nbsp;</P><P>Sorry, still a newbie to PAN.&nbsp; Thanks.&nbsp;</P> Wed, 17 May 2017 13:42:38 GMT jharlow 2017-05-17T13:42:38Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/156461#M51365 <P>Trying to configure DireectAccess (Windows Server) to work but I believe it is failing due to the Palo Alto. I created a custom application and application override for the ports needed but still failing. Per a Microsoft Document, "the firewall has to be configured to pass the traffic through transparently. you cannot NAT the traffic".&nbsp; How do I do this?&nbsp; Anyone else experience using DA (more so with DA is behind the PA firewall)?&nbsp;</P><P>&nbsp;</P><P>Thanks,&nbsp;</P> Fri, 12 May 2017 18:14:51 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/156461#M51365 jharlow 2017-05-12T18:14:51Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/156975#M51530 <P>I have not set up DirectAccess but few ideas.</P><P>Do you have dedicated public IP for DA?</P><P>If yes then can you set up bi-directional NAT with Service Any.</P><P>Permit all traffic from specific source IP you attempt to connect from to this DA IP.</P><P>Review logs. What applications do you see in use?</P><P>Disable app-overrides temporarily to see how Palo identifies this traffic.</P> Tue, 16 May 2017 22:10:11 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/156975#M51530 Raido_Rattameister 2017-05-16T22:10:11Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/157025#M51546 <P>DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA).&nbsp; As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)?</P><P>&nbsp;</P><P>You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow? &nbsp;</P><P>&nbsp;</P><P>Sorry, still a newbie to PAN.&nbsp; Thanks.&nbsp;</P> Wed, 17 May 2017 13:42:38 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/157025#M51546 jharlow 2017-05-17T13:42:38Z https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/157027#M51547 <P>Yes if you know public ip of client who tries to communicate then create policy where source zone is wan, source ip is client ip, application is any and service is any.</P><P>&nbsp;</P><P>And share logs what you see Monitor &gt; Traffic.</P> Wed, 17 May 2017 14:32:50 GMT https://live.paloaltonetworks.com/t5/general-topics/setting-up-ms-directaccess/m-p/157027#M51547 Raido_Rattameister 2017-05-17T14:32:50Z