On a DirectAccess deployment with UAG I got a weird issue. Indeed even if the transition interface de transition (IP-HTTPS or Teredo) are up, the IPsec connection refused to be in online state.
- The Forefront UAG server on a DMZ used a dedicated PKI for this zone.
- The client laptop used another PKI on the production network.
Moral of this story: never trust people and check again everything in the certificate even the certification chain. This will avoid a loss of time during days and days :).