Problem with VPN and group-based firewall rules

Hello!

I have a problem with VPN and group-based firewall rules.

I use my workstation A (win10 Pro) to access server B through 2 FG firewalls which are connected via IPsec VPN. Central FG has ipv4 policy "allow users from FSSO group X and SRCIP A to access server B". We have also FSSO Agent installed on DC (WS2012Std) and normally it works wonderfully - when I'm physically behind my workstation A I can access server B without any problems.

Now, I'm at home and use SSL VPN to connect to Central FG - OK.

Then I open RDP session from my home PC (win 7) to workstation A (RDP works OK) and try to access server B from that RDP session - can't connect.

When I open User & Device -> Monitor -> Firewall on Central FG I see row:

myusername - SSL VPN IP (of my home PC) - Method: Firewall

There are no users listed from my workstation A.

When I lock my workstation A in RDP session from home PC and then open the lock screen I see 2 rows in Firewall User Monitor:

myusername (all lowercase) - SSL VPN IP (of my home PC) - Method: Firewall

MYUSERNAME (all uppercase) - workstation A IP - Method: FSSO

And then connection from workstation A to server B starts to work but only for 5 minutes (which is the "workstation verify interval" I have configured in FSSO Agent). After that 5 minutes the second row from Firewall User Monitor disappears too.

When I try to manually check the workstation from FSSO Agent ("Test Workstation" button) then it pauses for about 5 seconds and then displays dialog box "User is no longer logged on". 

When I'm physically behind my workstation and push "Test Workstation" button in FSSO Agent then the test returns "User is still logged on".

Any ideas what might be causing this behaviour? I'd like to be able to use all the FW policy rules from RDP session as being physically behind the workstation.