I've bumped into an unintended consequence of a circuit migration.

Previous config was 8 sites connected privately via MPLS.  We moved off MPLS onto dedicated internet circuits, and created one VPN community with all sites.  For the encryption domain at the location where management is, rather than selecting the whole subnet, i added the objects individually, but didn't add the management server for the obvious reason that i didn't want a VPN failure to prevent management from communicating w the gateways.  Management reaches all gateways via their public IP.  And management is publicly addressed.

I realize now that i need management to communicate with some inside resources for AD related items.  So, what would be the best way to handle?

Is there a way to supercede with a rule that says management <-> gateways don't tunnel?

Maybe drop the management server into the encrypt domain but exclude all services that management which looks like at least: tcp/18191, tcp/18264, tcp/18192

Open to all ideas,or maybe (likely) i'm missing the obvious answer.  Don't think it matters for this, but all versions are r81.10, latest GA HFA

thanks