One of the important things to remember about the AnyConnect client is that it is "always on," meaning that it enforces security policies based on the location of the user, even when there is no tunnel in place. The AnyConnect client periodically connects to the ASA even when the client is not running — you'll see these little 20 packet exchanges to the HTTPS port of the ASA as it verifies that the ASA is alive and well and doesn't have a new policy to hand out.
You can change the security policy on the fly, so you don't have to get it perfect before you start your deployment, but it's a good idea to know where you want to end up before you start. Because the configuration tools within ASDM are so complicated, the only way to avoid getting lost is to zero in on what you want to accomplish. Building policy is only easy to do if you know what you want to enforce.
Cisco could have done a much better job in ASDM of making things consistent and usable. In the VPN part of the GUI alone, there are dozens of options and a confusing and contradictory set of terms. This makes it easy to make mistakes, or build a less-secure deployment because you didn't get everything done correctly.
For example, split tunneling can be done with a much higher level of granularity than was available previously, a great security improvement. But digging out the different features and getting them properly configured involves multiple screens and "Advanced" tabs that have to be opened. The result is that it's easier to not use this new feature, and have a less secure deployment.
While much of the VPN feature set can be configured using the command-line interface (CLI), making full use of the feature set requires you to use ASDM. The basic encryption and tunneling tools are all CLI-based and CLI-debuggable, but some parts of the client-side policy configuration rely on hidden files on the internal flash that are best left to ASDM to keep straight.
We built a basic ASA firewall using the CLI, and then we stuck entirely with ASDM. Once we got all of the licensing pieces worked out, our final configuration with RADIUS authentication, end-point security checking, and Web-based downloading of the AnyConnect client from the ASA appliance only took about an hour.
But that configuration was done with the help of one of Cisco's trainers. The solution has a lot of moving parts, and without hands-on guidance, we could have spent days covering the same territory. If you can possibly afford the time, sit down and read through the documentation or take some training.
Happy end users