I am investigating an alternative solution to DirectAccess due to its IPv6 requirements. We have Cisco ASA and currently use anyconnect for client VPNs. What we're wanting to do is enable some sort of split tunnel on all of our laptops so that whether they are on campus or at home, when they turn their laptop on, a few select servers (such as domain controllers for group policy and other such management servers) can reach the laptops and vise versa, while all other traffic is directed out the laptops normal means.  DirectAccess starts up without user invention, before login and does the split tunneling we want. We want a cisco equivalent.

From what I can tell from my google research is that cisco offers two types of solutions that can sort of achieve this. The anyconnect SBL is one, but I believe this requires user intervention at the login screen, none of our users will do this. The other is the Always on VPN, which starts AFTER login, this means that group policy and startup scripts won't get loaded during the login process. So nether of these will achieve what we want.

Am I correct in my statements above and/or is there another configuration/solutions that will achieve what we need?