ok...where they hide the code behind the firewall ? on Manifest.cf - so its a tunnel definition code when HTML5 is caching on all Manifest files

Defining Host Checker Pre-Authentication Access Tunnels

If your policies require Host Checker rules or third-party J.E.D.I. DLLs to access a policy server (or other resource) to check compliance before users are authenticated, you can use one of the following methods to make the resource available to the Host Checker Windows clients:

• Deploy the policy server in a DMZ where Host Checker rules or third-party J.E.D.I. DLLs can access the server directly instead of going through Connect Secure—This deployment is the simplest solution because you do not have to define a Host Checker pre-authentication access tunnel through Connect Secure between clients and the policy server.
• Deploy the policy server in a protected zone behind Connect Secure (Windows only)—This deployment requires you to define a pre-authentication access tunnel. A pre-authentication access tunnel enables Host Checker rules or third-party J.E.D.I. DLLs to access the protected policy server or resource before the system authenticates users. To define a pre-authentication access tunnel, you associate a loopback address (or hostname) and port on the client with an IP address and port on the policy server. You add one or more tunnel definitions to a MANIFEST.HCIF file, which you then upload to Connect Secure. You can upload multiple MANIFEST.HCIF files to Connect Secure. For all third-party policies enabled on a realm, Host Checker creates tunnels for all of the tunnel definitions in all of the MANIFEST.HCIF files, assuming the definitions are unique.

While running on a Windows client, Host Checker listens for a connection on each loopback address and port you specify in the tunnel definitions. The connections can originate from the integrated Host Checker rules and from client-side or server-side J.E.D.I. DLLs. Host Checker uses the pre-authentication access tunnel(s) to forward the connections through Connect Secure to the policy server(s) or other resource.

Figure 91: Host Checker Creates a Tunnel from a Client to a Policy Server Behind Connect Secure

Note: Host Checker pre-authentication access tunnels are supported on Windows only.

Related Topics

• Specifying Host Checker Pre-Authentication Access Tunnel Definitions

https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Defining%20Host%20Checker%20Pre.htm