@Mr_IT_Guy, you bring up some valid points. Unfortunately a t this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN. What you can do however is create a firewall rule on the MX blocking the Client VPN subnet from accessing the sensitive internal subnets and/or only allowing specific access. You could apply it at the overall FW page and it would then apply to all VPN clients. OR you could create a Group Policy and then apply it to specific devices. From my testing Group Policies assigned to Client VPN devices are persistent because this is tied to a virtual mac address that has a hash of the username that is logged in. Really depends on the level of security you want to put in place. Having an overall FW rule blocking the Client VPN subnet requires no administrative intervention.
... View more