Prevent SSLVPN client use when in the office

Question

I received a question from a customer looking for a way to prevent an end user from using the SSLVPN client when at the office. As far as I know there isn't a PRACTICAL way to do this but I'm throwing it out here in case there are some good ideas. 
 The office has an ASA and a S2S tunnel to the UTM 9 in a datacenter where all their servers and apps are housed. Only LAN traffic goes over the tunnel, split tunnel is in effect at the office site so they appear to come from the internet and can make the SSLVPN connection just like from anywhere else. If I were to block port 443 traffic from the public ip of the office, then the IT staff at the office cannot setup users ahead of time, can't even get to the user portal. Unless they were to have a secondary internet connection they could use just for setup, I don't see a way to do this other than to educate the users.

BAlfson · Answer

This is one of the reasons I never configure the SSL VPN to use TCP 443. My preference is UDP 1443 in the US. I'm told that, in Europe, UDP is blocked in some hotels, so TCP 1443 is probably preferable there. 
 Making that change requires downloading a changed ovpn configuration. The alternative is to edit the local configuration file: 
 C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\user@secure.domain.com.ovpn 
 In older setups, the file is one subdirectory deeper: 
 C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\user@secure.domain.com\user@secure.domain.com.ovpn 
 Cheers - Bob