We have users using local Windows Authenticator with Offline Authentication enabled. However, some of these users are off-site for extended periods of time ( >8 months). We use Microsoft Direct Access as our VPN system and support has indicated that the offline refresh is unable to occur over Direct Access. Question is, how safe would it be to open port 5580 to the Internet and be able to allow Offline Refreshes over the Internet? Another question would be, is there any harm in having an Offline Authentication policy with the number of days offline some high amount like 365 days.