Link SSL Virtual IP pool to a specific profile instead to SSL
When using SSL Remote access, all profiles use the same IP Pool. If you want to create a profile "network administrators" who has full access to the network and another profile "simple user" who has limited access to network, the "simple users" can access every network the "network administrators" can as long it adds manually the route on its computer.
It is not possible to filter that with the firewall, because both profiles use the same Virtual IP pool. This is a security issue !
The solution would be to allow to chose one Virtual IP Pool per profile, so "network administrators" would receive an IP address from subnet A and "simple users" will receive an IP address from subnet B. It would be easy to filter traffic with firewall rules and more secure (especially when "simple users" cannot remember a secure password)