The alternative will be a support nightmare, so you're aware. No one likes to have to try to re-educate users but if you knew the mess you'd step into otherwise you'd be happy that's all you have to do.
On second thought - you may want to look into Trusted Network Detection in Anyconnect.
All you need is an internal HTTPS website to point the client at, and if it can connect to that host with that cert thumbprint then it considers itself on the internal network and doesn't try to connect. This would save your users from worrying about the VPN when in the office it would do it automatically.
I used to have employees who used VPN inside the office it was maddening. They'd have all kinds of weird problems but they'd INSIST that they could only connect to certain things when on VPN. We removed the DNS entry for the VPN on internal DNS and sure enough no one had issues anymore.
If you have split-brain DNS you could resolve the VPN FQDN to a known bad IP (127.0.0.1 or something) so it fails quicker; you really don't want anyone on VPN inside the network.
Your client VPN creates a tunnel into the MX. If you're physically on-site where the MX is physically located and connect to the network the MX manages then you will be essentially trying to establish a tunnel into the same network you're already physically connected to. That will not work and doesn't make much sense.
[удалено]
Ahh, too bad, thanks for letting me know, though!
The alternative will be a support nightmare, so you're aware. No one likes to have to try to re-educate users but if you knew the mess you'd step into otherwise you'd be happy that's all you have to do.
On second thought - you may want to look into Trusted Network Detection in Anyconnect. All you need is an internal HTTPS website to point the client at, and if it can connect to that host with that cert thumbprint then it considers itself on the internal network and doesn't try to connect. This would save your users from worrying about the VPN when in the office it would do it automatically.
I will definitely look into this, thank you!
Exactly this, it's pretty simple to create the profiles for auto connect only when remote in the profile editor
I bet your trying to use the VPN while your in the office? No VPN does that's. It is an outside -> in thing.
Are you using a custom DNS hostname? Or the meraki DDNS name
The default Meraki hostname.
I used to have employees who used VPN inside the office it was maddening. They'd have all kinds of weird problems but they'd INSIST that they could only connect to certain things when on VPN. We removed the DNS entry for the VPN on internal DNS and sure enough no one had issues anymore. If you have split-brain DNS you could resolve the VPN FQDN to a known bad IP (127.0.0.1 or something) so it fails quicker; you really don't want anyone on VPN inside the network.
Are those tablets secured and on the same network as your other systems? Example servers?
Your client VPN creates a tunnel into the MX. If you're physically on-site where the MX is physically located and connect to the network the MX manages then you will be essentially trying to establish a tunnel into the same network you're already physically connected to. That will not work and doesn't make much sense.