If users are off the LAN, Windows cannot talk to the Domain Controller. This happens when you work from another location than the office, like travelling or working from home. With the right entitlements in place Windows users can change their password even from remote (if the context allows), and you can push group policy updates to the machine.
You will need to have the DNS servers in an entitlement, but usually you have done this earlier. Make sure they will be available to those users (check the filter/policy):
ALLOW TCP up 53 DNS1, DN2, DNSn
ALLOW UDP up 53 DNS1, DNS2, DNSn
Add the following in to an entitlement to make the Windows client machine and Domain Controller being able to talk to each other:
ALLOW TCP up 88,135,139,445,464,474,636,3268,3269,5200,5201,5722 DC1, DC2, DCn
ALLOW tcp down 88,135,139,445,464,474,636,3268,3269,5200,5201,5722 DC1, DC2, DCn
ALLOW udp up 88,123,137,138,139,389,474
ALLOW udp down 88,123,137,138,139,389,474
ALLOW icmp up 0-255 DC1, DC2, DCn
Now the entitlement is in place, you might adjust your filter/policy to use the entitlement. Also, the entitlement will be picked up when the tokens are renewed. This happens either when tokens are expired, the admin revokes the user or the user logs-in-and out again.