Add the ability to connect to the wifi network / hotspot using your AD credentials.
The “company” wifi network can then be accessed using your credentials and when an account is removed or disabled you also cannot connect to the wifi anymore. With that feature you don’t have to change the wifi code whenever a person leaves the company. Maybe also add AD group membership so you can easily grant a select group of people access to your wifi network.

Add a fourth variant for hotspot type "SMS Passcode". User enters his mobile phone number into captive portal, and will obtain a passcode via SMS. Just got this requirement today from a partner, who wants to set up a free public wifi hotspot this way for a customer...

real 2-way SMS-OTP-VPN Authentication:

SSL Client VPN (and SSL Clientless VPN):
1. enter username and password.
2. the ASG will send a sms otp token and waits for user input
3. enter sms token
4. authentication completely.

to realize this, we need the Radius Challenge / Response feature
or the ASG sends an email with a token to a smsgateway and wait for the user input..

Enable the option to filter HTTPS traffic based on category for transparent proxy mode, based on the domain lookup. (No SSL interception necessary.)
It would not be as granular as full scanning, since the rest of the URL is encrypted, but it would provide some level of content filtering.

Logging and Reporting - Web Security

Would love the ability to run reports based off of AD/eDir backend groups. Either by adding this functionality separately or by allowing the addition of backend groups to the ASG's built-in "Departments".

Enterprise customers want to have a chance to use ALL pubblic addresses configure on the WAN interface, even though the HTTP proxy is turned on.
Since this special functionality is builtin into iptables, it would be nice just to have it into the webadmin, like a check box "USE ALL AVAILABLE IP ADDRESSES FOR MASQUERATING", or box to include which ip addresses will be used for masquerating (that would be even better).

The reason for this feature is to keep users working, even if the primary WAN IP address is banned.

Every enterprise, university, or other large corporation has multi user computers. It would only make sense to have multi user support added to the AAA client. By default it should not install into the user's profile. It should be a workstation installation and you should have the option of installing it for all users like most programs have.

An added bonus would be if the user didn't have to enter in their credentials, the credentials would be pulled from the machine using the SSO features and automatically entered into the AAA client.

Although reasonable bandwith is available at most sites, it doesn't make sense, that each endpoint is updating his protection form the internet. There should be an option that either the ASG itself is the (primary) update server or one or two endpoints. I would prefer to have an extra 10 or 20 GB partition for such a feature.

The support for 3G modems implemented in 8.200 was great, but due to limited bandwidth maybe only useful as a failover link. Can this support also include 4G modems as the Huawei E398? With 4G, network speeds up to 80 MBit is achievable. I would use this support at customers' appliances as well as my sw appliance at home, bundling 4G with DSL!

Generate a Certificate Signing Request CSR with ONE CLICK

In the Flow Monitor, it would be nice to be able to click on a Host/Client, and list all of their connected Host/Clients, ports that they are using, and bandwidth used for each of those. Currently The Flow Monitor only list total traffic used by a Client/Host, but for more information the text logs have to be searched.

It would also nice to be able to have fine grain control of that traffic (throttle and blocking) in real-time from inside the flow monitor. Options like Temporary blocks, or data caps, would all be bonus too.

We are required to use a parent proxy for all sites. In certain instances, it is necessary to bypass the parent proxy setting when an exception is made. For instance, certain users should have access to a site that is blocked by the parent proxy. Creating an exception for this URL that also allows the user of that exception to bypass the parent proxy is an absolute must.

Please add support for the Spice protocol. It is an Open Source solution for interacting with KVM Virtual Machines, and gives you a rich user experience. It is a kind of Remote Desktop protocol. Also, support for more Remote Desktop types would be cool, like *NX, and XDMCP.

http://spice-space.org/

We need a feature to monitor the WAN traffic of expensive satelite uplinks. When the paid data volume is nearly exhausted the ASG writes a mail to the Admin. So we need a max. data volume value und a threshold value.

With RTM we can track the Gateway for a static route , so that incase if gateway is not reachable the route will get disabled autoimaticaly
this lets me put the Active / passive route to one destination via multiple paths.

Very simply, I want to set up LB for future server expansion or to have some offline server as a fail-over. The sad thing is that the GUI does not let me only set up 1 "Real Server". This is an example of over thinking GUI capabilities that make it less useful. I had to create a fake IP for a server that did not exist. The other drawback to that, is the router now sends out ARP calls asking for someone to identify themselves as the newly defined IP for which there is no running server.

Add a VPN Client support such as L2TP inside ASG so it can connect to a VPN Server without having Site2Site.

Much like most consumer VPN router can do to connect to an Enterprise.