SRX Help: Access Dynamic VPN Clients from Trusted Zone

We have an SRX340 with a large number of Dynamic VPN clients running Pulse Secure (almost exclusively Win10 clients).

Traffic from all the VPN clients and any internal zones is working completely as expected.

I’m trying to determine if I’m able to make changes to my SRX so that connections can be initiated from any of my internal hosts to any of my dynamic VPN clients.

With my current configuration if I traceroute from an internal device to a device in my IPSec VPN pool I can see the traffic tries to exit out of my WAN interface, which obviously isn’t going to work.

If I was doing this on a FortiGate then I’d create a policy that allowed traffic from my internal interface to my ssl.root interface and make sure my routing was in place for that. But I don’t think this approach is appropriate (SSL vs IPSec) and I can’t identify an appropriate SRX interface to configure for routing.

Thanks for any help provided.

It’s a design limitation on the SRX implementation of Pulse Secure. a remote (in the eyes of the appliance) user can be given access to various local resources, but local users can’t access remote resources.

I got around this by using Group IKE IDs and a pure IPsec client like IPSecuritas.
Can’t do a tunnel-all configuration and I often have to manually assign IPs to users because XAUTH is borked, but it gets the job done.

I figured as much.

I tried try binding a new st0 subinterface to the phase 2 VPN but then it started prompting for traffic selectors and I was already defining my included/excluded traffic within the dynamic VPN users.

Thanks very much for the insight.