I've been going around and around with this issue. I just implemented an active/standby ASA environment. This is our main firewall and I'd like to use it for our remote sites to VPN into as well (and get rid of our soon to be EOL concentrator). I need the VPN traffic to be filtered for web access. Here is what I have tried so far:
1. In-line appliance. I did a tunneled route so that all VPN traffic would come into our core switch, even if the traffic was Internet bound. This didn't work because when the VPN traffic comes back from the Internet, it goes directly back to the remote site rather than back in through the appliance. The appliance filters on the return traffic, so this didn't work.
2. WCCP. I thought this was the answer until the Cisco tech told me I'd need a WCCP server on every IP subnet, so I'd need 100 of them. That won't work.
3. Proxy. I thought about this, but for our remote laptop users I worry that they won't be able to access the web when they are off the VPN.
I've heard that Websense works the way I would need this to work, but it's quite expensive. Does anyone have any other ideas or corrections to the above statements?