To put things very generally, DA works by creating an IPSec tunnel (actually, two tunnels, but more about that later) between the UAG server and the client, and encrypting the traffic that is destined for the internal network. UAG receives the traffic from the client and decrypts it, and sends it on its way to the internal servers. More specifically, the administrator creates a configuration using the UAG management console, and that configuration is added as a group policy object. Then, all clients are required to connect to the corporate network (either physically, or via other VPN technologies) and receive the group policy update. After the update, Windows is ready to automatically create the IPSec tunnels to the UAG server as soon as the computer leaves the corporate network and connects to the public internet somewhere else. Then, full corporate network connectivity ensues.
The tough part is creating the foundation for this, as it requires a fully functional...