This article explains a requirement for installing Host Checker patches. Installing patches (through Patch Remediation) after launching a VPN tunnel (Junos Pulse or Network Connect) or through the secure tunnel cannot be done.
The PRM (Patch Remediation Management) License is installed on the SA, but patches cannot be installed.
The patch installation starts, but it never completes.
The install hangs and looks like this:
‘Limited network access.
Update is in progress. You may close this dialog. Once updating is complete you will be logged in to the network.’
Patch Remediation is a Pre-Auth process and can only be done before launching a VPN tunnel. Patch Remediation cannot be done Post-Auth (after the VPN tunnel is established).
Shavlik/SMS/SCCM cannot download the patches after launching the VPN tunnel through the tunnel. The Remediation (patch download) should be done through the local NIC adapter and not through the tunnel.
To achieve Patch Remediation, the client computer should have access to Internet so that Shavlik can download the missing patches from the Vendor Servers. With SMS/SCCM, the client computer should have access to the desired server from the Local LAN.
As a workaround, a Host Checker remediation message (custom rule) directing them to another realm which does not enforce the policy and only allows L3 access to the patch servers can be used. The users can then manually update the patch and try logging in again through the standard realm.
If downloading the patches must be through the tunnel, an Enhancement Request needs to be worked through with the local Juniper account team.