Let's start from scratch:
What ports are you allowing in on the Firewall?
For the Windows VIA clients alone you need https (TCP443) and NAT-T (UDP 4500)
For MAC clients you need IKE (UDP 500), NAT-T (UDP 4500), ESP (IP protocol 50), L2TP (udp 1701), and PPTP (TCP 1723)
On the commandline of the controller, you should first see if there are any incoming TCP 443, or UDP 4500connections:
"show datapath session table | include 443"
"show datapath session table | include 4500"
If you do not see any output, you have to fix the controller/firewall relationship.