If the 2012R2 host is able to see (or be seen by) the Internet, can you check its IP address settings and see how they look?
Any which way, the Firewall has to be configured with two interfaces and the internet-facing interface needs to have a default gateway address configured which is part of the same subnet range as the IP address assigned to the internet-facing interface.
Maybe the hosting service has a clever way of routing traffic to/from the cloud host, without that cloud host having a configured default gateway. You can obviously configure a single-interface Windows or Unix/Linux host without specifying a default gateway address and it will be assumed by the host that there will be no need to communicate beyond its own subnet.
Phil, thanks for the response. The 2k12 server is configured with the gateway not in the range of the local subnet. i can just force it by acknowledging the logic error. I can't figure how to make the FWE do the same thing... Yet
I don't necessarily want this statement to come across as the absolute word (there may be others with better educated opinions), but I suspect the reason why you can effectively override the gateway setting under Windows (or you can leave it completely blank, if you wish) is because its primary role isn't to route traffic.
Given the Firewall needs to have a minimum of two configured interfaces, and one of those provides the route to the "outside world" (even if it isn't actually connected to an Internet circuit), the presence of a default gateway and the fact that the value has to be valid is key to its operation.
I haven't worked exclusively with MFE over the years, so I know this basic premise is the same for all the other Firewalls I've come into contact with. Without a valid default gateway it potentially can't do its job, so I'm assuming that McAfee have insisted on verifying this value at installation to minimize the chances of an Admin being left tearing his/her hair out when it doesn't pass any traffic.
I can only suggest that you discuss this with the people providing this cloud service. It almost seems that they aren't expecting customers to install dedicated Firewall solutions - which would then allow you to use NAT and host a number of virtual machines on the trusted side.
Can the service provider deliver this IP address using DHCP? If so, then configure the external interface of the Firewall accordingly and trust that they deliver the IP address you have been told.
Bottom line, your MFE installation needs to have a default gateway configured and it needs to sit in the same subnet as the assigned IP address.
Support helped me with the issue. They suggested that I add an alias to the interface with an ip address that matched the network with a /30 to keep the subnet small. Now things work.
Thanks for the input, the DHCP idea was clever, but I couldn't get a dhcp server to issue an address with a mask of 255.255.255.255.