SmartEndpoint isn't required here at all, but enabling Identity Awareness will definitely be a good idea.
You could actually create two different Access Roles here:
- One that is just specifies the relevant networks/hosts (optionally tie it to specific AD groups)
- Another that is Remote Access users
Make sure Remote Access is a valid identity source in the gateway/cluster object:
Note the reason I am suggesting an Access Role for the networks versus just using the network objects is because you generally can't mix regular network objects and access roles in the source/destination field of a rule.
Believe this limitation is removed in R80.40.