UPDATE: My guide for Configuring DirectAccess with UAG Service Pack 1 has been released!
Read it here.
By now you already know that DirectAccess clients connect to corporate resources via an encrypted IPv6 tunnel. The Application Servers wizarad is how you decide where to terminate that encrypted tunnel. The traffic between the client over the Internet and to the UAG server on the corporate "edge" is always encrypted, but with this wizard you can decide to end the encryption after the UAG server or carry that all the way through to the resource endpoint to keep the data encrypted even on the corpnet. Here's a brief
TechNet article on the topic.
Click the Edit button under Application Servers to launch this one page wizard.

The default (and easiest to configure) is the End-to-Edge Encryption. This will encrypt data only between the client and the UAG server and then send the trafic over the unencrypted network that exists between the UAG server and the endpoint corporate resource. This option more closely resembles the way a traditional VPN secures traffic.
The second option enables encryption to pass through the UAG server all the way to the target. It does not prevent End-to-Edge only connectivity, it just requires that the servers you specify in the wizard must use encryption between it and the UAG server. This means these resources must be running Windows Server 2008 or newer, use IPv6 and IPSec. So currently, it's use is pretty scarce. If you want to use this option,
Deb Shinder has a great summary overview of the UAG DA Configuration and in there touches on
how to navigate the End-to-End configuration wizard.

For this guide we'll be doing the End-to-Edge Encryption.