In our setup, we use the same URL for both our Pulse Secure client VPN connections as we do for users who log into the web sign-in page to access their various bookmarks. Since we have the host checker assigned to the roles assigned to this realm, the host checker runs whether the user is using the VPN client or the web sign-in. Is there a way to change this, without creating two separate sign in pages, so that host checker only runs when the user VPNs in, but not when they log into the web page?
You need to have two user realms applied to the sign-in page
One realm should be having browser based restrictions set (realm >> authentication policy >> browser) to ALLOW Pulse Secure Client connections (I think the agent string would be Pulse-Secure* or Pulse Secure* with asterik at the end), hence rest of the agent access are denied implicitly.
Other realm would be DENYing the pulse client string + allowing all other agents i.e. allow * (wildcard) for the browsers to access - make sure the deny statements stay at the top and allow * at the bottom.
Apply all the host checker rules to the realm which allows Pulse Client and don't apply them in the realm that denies (that is your web access realm). You need to map the required roles to both realms and the behavior should be seamless.