We are in the process of testing an "Always On" VPN solution for our remote users using the Anyconnect 3.x client and the SBL module. We've opted for machine based authentication that uses certificates from our PKI. The VPN head end is a pair of ASA 5520s in Active/Standby mode. Once the machine authenticates, the user will be required to authenticate to the laptop using cached domain credentials. Laptops will be running Windows 7 professional.
So far, we have a couple of concerns:
1. We would like to streamline the process of booting the laptop to the VPN connection by bypassing the "Switch User" button and going directly to the "network logon" options. Or, when the laptop is powered on - it goes directly to the SBL process and automatically creates the VPN with no user interaction (using the machine certificate).
2. We are exploring the idea of using a smart card or RSA type token for authenticating the user to the machine/domain rather than using AD credentials.
3. Many of our remote users will be at Hotels that require authentication via a captive portal, how does this work with the SBL?
The main purpose of this thread is to gather opinions and caveats from other engineers that have deployed an Always On solution. We are hoping to deploy this in the next couple of months and avoid as many 'gotchas' as possible. We would also like to hear what has worked best or not worked best for other organizations.