Your DirectAccess product is 100x more complicated than it should be.
If I ever meet the developers who designed and developed DirectAccess, I am going to belt you around the head repeatedly, until you delete the whole bloody thing and do it again properly!
DirectAccess, the way it should have been:
-Require a SINGLE Public IP Interface and specify it by Interface, or manually specify the public IP if behind a NAT or Firewall. (Why the fuck do I need 2 sequential public Interfaces??? Don't you know we're running out of IPv4 addresses???)
-On server, Install RRAS and Enable "DirectAccess" in the same way PPTP is enabled. It should be no more than a bloody tickbox!
-Enable traffic on port 22 (or any port you want) and run an SSH/DirectAccess Server on that port.
-Create an AD Group, filled with computer objects that will connect with DirectAccess.
-Specify the AD Group(s) in RRAS/DirectAccess, and have them set up with a group policy which configures them properly. Including a Public Certificate with which to authenticate, Public DirectAccess Server IP address and Port and other basic information.
-Must be connected to the LAN at least once in order to get it's next Group Policy
-After that, the next time it's NOT on the LAN, and does NOT have access to any DCs, and DOES have access to the public interface of the RRAS/DirectAccess server (which it knows by the GroupPolicy object) it should connect to the server and authenticate with the certificate that was automatically allocated and delivered by GP
-The DirectAccess server will then determine whether the Computer Object is still valid, if so it gets an IP address INSIDE the LAN (v4 or v6).
-Traffic should flow normally, as though you had connected to PPTP, and you should then be able to log on to the domain normally, like you would inside the LAN.
How fucking hard is that?
It should be a 10 minute job.