Updating and Activating policy RRS feed

  • Question

  • Hi

    I need to add a new NRPT exemption rule in the configuration.

    Last time I did this DA broke on a few of our remote clients and they needed to connect back to the network via legacy methods and update group policy before the laptop would activate DA again.

    Can you confirm if there is a recommended way of making these changes. 

    The last time i followed these steps:

    1. Opened Gateway managment console
    2. Edit Infrastructure servers (step 3)
    3. Add DNS Suddixes to exclued from DA
    4. Apply Policy
    5. Activate

    We have had in the past where it is unable to update the Group Policy so a delete and recreate is sometimes needed.

    Now that we have so many users using this as there remote access method I need for this to work.

    Any advice please let me know.






    Wednesday, October 19, 2011 11:49 AM

All replies

  • Hi Lee,

    your way to update the DA configuration is correct. I did it many times before and i didn't got any issues.

    When your clients fail to apply the new configuration and also fail to further DA into your network, then you'll need a solid "Plan B". Personally, I always deploy SSTP based VPNs alongside of DA for that purposes. If DA fails, i simply advise the user to turn of the DA based DNS resolution (via DCA) and dial-in using SSTP followed by a "gpupdate /force" (either through UAG Portal or by using a manuall VPN connection).


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Wednesday, October 19, 2011 12:14 PM
  • Hi, If you are using the default setup and policy names created the procedure above is correct.

    1 step missing is the gpupdate /force. Once you have completed and run the update script from the UAG wizard you need to wait a bit before you activate it. You need to make sure the GPO is updated on the server.

    This however on the server ends makes no difference if you have only added a NRPT rule as these go into the client GPO only.

    If your setup is growing I would advice a test GPO for these puposes. We are using a slightly differenct procedure.

    1. Change the settings via the DA wizard and EXPORT the script.

    2. Modify the script (Server GPO name, Server Machine security group, Client GPO name, client GPO Security group)

    3 Run this script so it creates/updates a test server and test client GPO

    4 Apply this GPO on a test machine(s)

    5 Test and if all OK we run the original exported script.

    This will give you a way of having a shadow DA client or clients that get the new GPO first. You can then test in piece and if all OK you can change the main GPO.

    On the server end it's more difficult but more easy at the same time. The difficult part is that if you get it wrong all clients are disconnected. The good part is you can easily roll back the server side as that is under your control.

    For the client GPO's once it's out there it's out there and if it wrong and disconnects your clients, you are in trouble. That's why I have some DA client virtual machines in a DA test group that get the updated GPO's first.

    And if you store you running configuration (export the DA script each time) you will be able to revert.

    PS Make sure you exclude your DA test client from the normal DA security group so they do not get the normal GPO also!


    Thursday, October 27, 2011 7:32 AM