We would like to offer Citrix access to users via the HTML5 VPN portal.

In the new UTM 9.1 you redesigned the Toggles (to enable/disable the features). But why you make the disabled Toggles grey instead red? Please make the Toggles red again. The new Design - but red for disabled Toggles.

It would be great if the AP30 also had the repeating option. The AP50 is too expensive for normal clients.

It would be great to have the ability to disable the On-Access-Scans for a certain amount of time on the client.
E.g. via right click on the systray icon:
"Disable On-Access-Scans..."
"for 1 hour"
"until reboot"

This should, of course, only be possible for admins, perhaps only after entering the tamper protection password!?

I think it's all wireless access points needs 5GHz connectivity.
All professional wireless devices (Notebooks, mobiles ore whatever) are able to connect via 2,4 and 5GHz.
5GHz technology is more stable as 2,4 GHz.

We often deploy new Configurations and Software to our real servers behind about 15 SLBs. By now we always have to login to WebUI to manually rebalance the Real Servers we wan to maintain, and rebalance them back for the second half of a SLBs Real Servers.
It would be nice to have an SSL+Login API to do it automatically using something like Capistrano or even a predefined per-SLB HTTP Response Code, the SLB knows to rebalance to 0 for specific Servers.

For web sites with larger uploads (e.g. ownCloud) there is currently a 128MB (134217728 byte) limit in Web Server protection, the so called request body limit in ModSecurity.
Please add the possibility to configure this parameter (it's "SecRequestBodyLimit" in the Apache config) to allow larger uploads to sites protected by WAF.

The sophos UTM 220 can take 4GB of ram. Now with 9.1 using slightly more ram to work optimally. Could sophos please upgrade the device to come from the factory with 4GB of ram. This will greatly benefit a lot of users who choose the 220 for a small to medium business.

In addition to passwords for entry via the wireless captive portal, it will help us if QR Codes can be printed on vouchers too.
Users with smartphones are able to scan the QR code with the mobile phone, which contains an individual URL to activate the session, equivalent to typing in the vouchers passcode in the captive portal.

Please add MAC address allowed lists to your AP wireless access devices. Even the cheap units from other manufacturers include this, and it is an important additional layer of security.

Have the ability to have Macintosh Endpoint Protection Clients

Whilst you can create Departmental reports, containing the Sites, Traffic, %, Pages, Duration and Requests, it doesn't include the Username of the user. It would be really useful if you could create Departmental reports showing all of this information,sorted by usage and include the username, so that a Department Head can see the usage of all his/her employees, in a single report, rather than having a seperate report for each user. It would also be good if it could include the option to have a date/timestamp entries as well.

Would like to control mobile devices (Encryption/ AV/ Remote-Lockdown) from UTM9 Web Admin

I think it could be worth a look at, unless Snort comes up with a multfhreaded version.
http://www.openinfosecfoundation.org/
http://suricata-ids.org/

Feel free to choose every DynDNS server or add No-IP DynDNS to list.

In the End User Portal I'm able to specify allowed users/ groups.

Therefor I'm able to define a group based on a Active Directory group, limited to backend group membership.

Now the limitation:
The User Portal only accepts AD Groups which are directy related to AD-Users. The use of nested AD groups (Users --> AD-Group1 --> AD-Group2) are accepted by User Portal, but without any action.

A needful enhancement would be the functionality of nested AD Groups, using in User Portal

It would be nice to have Form based authentication as Microsoft ISA or FTMG has. Means an authentication on the Astaro against the AD (SSO) and then store the Information so that Users do not have to authenticate twice if they hit different Web Servers from outside.
Squid has that functionality, i am suprised that Sophos has not implemented it.