To allow DirectAccess (DA) to function properly with the Endpoint Protection, you will need to:
1. Enable the Windows Firewall Service (for Windows 7, it should already show as enabled and managed by SEP under Control Panel, Windows Firewall).
2. To leave Endpoint Protection in charge, and only have Windows Firewall control IPSec (ConSecRuleRuleCategory), you will need to select the option to 'Disable Always'.
Note: If the SEP Firewall policy option “No Action” or “Restore if Disabled” is chosen, the Microsoft Firewall will be in charge of all four categories. You can verify by the command `netsh advfirewall show global`.
For more information please read:
3. Ensure that the SEP Firewall is configured to allow all IPv6 traffic.
Note: In SEP 12.1, open SEPM console -> Policies -> Firewall -> Change the SEP firewall rules for IPv6 traffic to from "Block" to "Allow".
1. Log on to the Endpoint Protection Manager (SEPM).
2. Click Policies.
3. Click Firewall then click Edit Policy.
4. Click Rules.
5. Select Add Rule...
6. Enter a rule name
7. Click Next
8. Select Allow connections
9. Click Next
10. Select All Applications
11. Click Next
12. Select Any computer or site
13. Click Next
14. Select Only the communications selected below:
15. Click Add...
16. Set the Protocol to Ethernet
17. For Protocol Type, add Ipv6 (0x86dd)
18. Click OK
19. Click Next
20. Choose your desired log setting
21. Click Finish
22. Click OK
DirectAccess should now function as expected.
For more information on configuring the DirectAccess Infrastructure, please see: https://technet.microsoft.com/en-us/library/jj134204(v=ws.11).aspx