Thanks for the response. At the end this was the same conclusion we came to, but the security policies at the organization does not permit split tunnels. With the ISE redirect in a posture unknown state, all http and https traffic is redirected. We tried using the ASA FQDN ACL to exclude some of the microsoft servers but depending on the client location the Microsoft server name resolution changed and hence this worked intermittently. We ultimately abandoned the requirement but I do appreciate your time to respond as this is exact the the resolution to this problem.
... View more