Take a look at this client starting and stopping his tunnel numerous times.
Each new "start" does NOT challenge the user to establish a new session from the APM policy standpoint.
So keep this is in-mind you have ClientSides checks and the users machine is no longer in policy you could open up a door into your systems with out of compliance hosts.
In this APM policy we have the CSC "continuous" checks disable due to other issues we found.
SO I'm not 100% sure if this would be a major issues to be concern with if you have continuous hosts checks enabled.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=