This type of thing can happen if you have configured the DA connectivity verifiers to use the URL of the NLS server. The NLS server is normally listed as an exclusion in the NRPT, because we need it to not be available to DA clients, as its unavailability is what triggers the DA client to initialize the DA connection:
This issue sounds like a problem with the connection itself, but we can see it is not because client can clearly connect to other internal resources, and so the DCA error is a false-negative.
This is rather simple to address. Simply use a different server as a connectivity verification method!
To do this, follow these steps:
1. Open the UAG Configuration console
2. Go to the Client Connectivity Assistant Configuration
3. Go to page 2 of the wizard – “Connection Verification”
4. Remove the NLS URL, and add in a different server that should be available (the organization’s SharePoint server, or some other website, perhaps)
5. Complete the wizard
6. Activate the configuration.
7. Re-run the Group Policy script on UAG, and deploy the new policy to clients.
Here are some additional resources which talk about NLS and NRPT in details:
Blog post written by Nitin Singh