How to Configure UAG to Publish Your Private Certificate Revocation List

In order for SSTP (Secure Socket Tunneling Protocol) and DirectAccess to work properly the SSTP and DirectAccess client must have access to the CRL (Certificate Revocation List) of the server certificate (if you are using Client Certificate or Smart Card authentication you will also need access from the client to the CRL) If you are…


URL and Antivirus Filtering for DirectAccess Clients

The question on how to handle DirectAccess clients and Internet security for those clients is always a popular topic. As I’ve mentioned many times in this blog, the overall threat and management profile of the DirectAccess client should be little different than a client that is on the intranet. However, there is one major difference…


Why Split Tunneling is Not a Security Issue with DirectAccess

(Discuss UAG DirectAccess issues on the TechNet Forums over at As a member of the Anywhere Access Team with a primary focus on UAG DirectAccess (DA), one of the questions that I hear a lot relates to the security of the solution, due to the fact that split tunneling is enabled by default. If…


How To Enable SSTP (Secure Socket Tunneling Protocol) Split Tunneling with UAG 2010

UAG 2010 (UAG) supports two types of network level SSL VPN: Network Connector Secure Socket Tunneling Protocol (SSTP) Network Connector is aimed at legacy clients and SSTP for Windows 7 clients. Network Connector supports both split and non-split tunneling configurations while SSTP, when accessed through the UAG portal, supports only non-split tunneled connections. This can…


UAG DirectAccess Server Deployment Scenarios

(Discuss UAG DirectAccess issues on the TechNet Forums over at A question that I see frequently regarding UAG DirectAccess is “what topology options are available to me? Where’s the best place to put the UAG DA server?”. As with all questions of this type, the answer depends on what your requirements are and what…


Configuring DirectAccess to Support Citrix Connections

We’ve seen a lot of questions on how to get the Citrix client to work with DirectAccess. The following provide some information and procedures that may work to get the Citrix client to work over DirectAccess. The Citrix client can use IPv6 to connect to one type of server only: the Citrix Secure Gateway (CSG)….


Another Cause of the “No Usable Certificate(s) 0x103 Error

One of the most mysterious errors you’ll see when working with DirectAccess are related to failures in IP-HTTPS connectivity. I did a blog post on this problem last year and you can find it at Phillip Sand clued me into another possible cause of IP-HTTPS connectivity problems. First, whenever you suspect a problem with…


Questions and Answers for Planning a Small Business DirectAccess Deployment

While I spend most (all) of my time working with the UAG DirectAccess solution, UAG DirectAccess is functionality essentially represents a superset of Windows DirectAccess functionality. Therefore, I thought it might be interesting to share with you all some questions I received from a fellow who is interested in deploying Windows DirectAccess. Maybe the questions…


UAG DirectAccess–Guess the Device in the Request/Response Path

Take a look at the figures below and see if you can guess what device is in the request/response path that you don’t typically see a UAG DirectAccess deployment. First, the ipconfig output on a DirectAccess client located behind a NAT device: Figure 1 Now let’s ping DC1: Figure 2 Now let’s do a tracert…


Clearing the Air on ISATAP

For companies thinking about deploying DirectAccess, the question of whether or not you need to deploy ISATAP will invariably come up. The answer to this question is “no” and the reasons for why you don’t need ISATAP in a DirectAccess deployment are covered in my article over at However, ISATAP does have a place…