It will depend on the access mechanism you choose. If you use pure L3 VPN style access mechanism then 1 realm, 2 roles and 2 'VPN Tunneling Connection profiles' will suffice as for L3 VPN the SA preserves the source IP that was assigned to the tunnel interface (Note: 1 realm will suffice assuming your authentication server can return an attribute that allows the SSL VPN gateway to map staff/student to the appropriate role) However if you use any other access method like web(rewrite), File browsing, Secure Application Manager (SAM ), etc then this will get very tricky as by default the SSL VPN gateway sources traffic for all these access methods using its internal interface IP. You could over-ride the default behaviour by using the role level option called Source IP. However that was designed to be used on a per role basis rather than per user basis. Which is why in your use case it will be tricky (i.e. will need one role per user)
... View more