Thanks. Trying to now figure out how to set the "gateway ip address" for my WAN interface instead of one of the internal ones now. Endpoint Client gets stuck on "retrieving site information" and if I check trac.log it shows a non-wan ip address for the vpn gateway.
Edit: figured that out. Remaining challenge is to allow my remote client access to manage the CP Cluster itself (2 GWs and a mgmt server). I have two rules with an access role as source on both. One destination as all CP objects, another rule specifies the entire subnet. Services are any, VPN community set to remote access. I can ping but https for instance is blocked.
Edit 2: Ah it seems that Identity Awareness (which it forced me to enable to Access Roles in a rule) is not picking up the user that signed in from Endpoint. I could probably use the "Office Mode" ip pool, but would prefer to leverage Access Roles. Any ideas on what I could be missing?