This article describes what entitlement you need to add to AppGate SDP such a Windows Domain machine, which is off the local network, can change password and such that group policies updates can be propagated to it. The user needs to be connected with the AppGate Full Client.
If users are off the LAN, Windows cannot talk to the Domain Controller. This happens when you work from another location than the office, like travelling or working from home. With the right entitlements in place Windows users can change their password even from remote (if the context allows), and you can push group policy updates to the machine.
You will need to have the DNS servers in an entitlement, but usually you have done this earlier. Make sure they will be available to those users (check the filter/policy):
ALLOW TCP up 53 DNS1, DNS2, DNSn
ALLOW UDP up 53 DNS1, DNS2, DNSn
Add the following into an entitlement to make the Windows client machine and Domain Controller being able to talk to each other:
ALLOW TCP up 88,135,389,445,464,636,3268,3269,49152-65535 DC1, DC2, DCn
ALLOW udp up 53,88,123,389,464 DC1, DC2, DCn
ALLOW icmp up 0-255 DC1, DC2, DCn
Now the entitlement is in place, you might adjust your filter/policy to use the entitlement. Also, the entitlement will be picked up when the tokens are renewed. This happens either when tokens are expired, the admin revokes the user or the user logs-in-and out again.
Microsoft Reference: How to configure a firewall for Active Directory domains and trusts