Hi Philip,
Thanks for your reply. These clients are behind the MX68 with just a connection to the internet like SOHO setup. The Microsoft DA server is hosted at a DC location, reachable over the public internet. When these clients use their home internet, they connect to the Microsoft DA seamlessly.
I had the experiment in mind which you mentioned, but before trying on wireless, i tried over the wired. I made a new vlan in a 192.168.x.x space (just to mimic the same IP range that clients get at home) and assigned that to a port in the office where the client connected using wired connection. They could get the internet through MX68, but the Microsoft DA client on the workstation/laptop didn't connect, it stays on connecting state. With Microsofts DA 6to4 tunnels and IPoverHTTPS requirements for clients, i was wondering if there is any inbound firewall policies which would need to get applied on the MX68 over the default deny?
On the other hand, as i understand it's a client-initiated connection to the DA server, so as a stateful connection, the firewall should allow the communication back.... it's just that the 6to4 tunnel requirement are not making sense to me whether it would need to be explicitly allowed in some form.
Regards,
-KN