In DirectAccess, you have the option of allowing internal hosts initiate connections to DirectAccess clients. Typically, you want to limit this capability to only Help Desk and any services that might need to establish these kind of outbound connections to the DirectAccess clients. However, there are many issues that you might run into that can made this problematic.
For a great description of an approach you can take to troubleshoot the problem when you run into it, check out:
DEBRA LITTLEJOHN SHINDER
MVP (Enterprise Security)