What is your actual IP pool defined in the connection profile and what IP address is assigned to the VPN adapter on the Vista once NC/Pulse is connected? From your description I'm seeing 2 different IP's Initially you mentioned the pool is: "connection profile - test-profile ip addresses 192.168.92-125-192.168.92.126 applies to role joe" And in your next post you mentioned that the VPN address is: "but not from the VPN address 192.168.126." *IF* your actual VPN adapter IP address is in a subnet that is different from the MAG SM-160 internal interface then the MAG will not proxy arp for the VPN adapter IP which means when the target/backend server responds those packets will not reach the MAG's internal interface. To workaround this you have to add static routes on your network such that any traffic for the NC IP pool is sent to the internal interface of the MAG SM 160 so it can send it back to the client machine over the tunnel. This issue and solution is described in detail in http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB23048 Note: The "network connect server ip address" parameter is internal to the MAG and is used to terminate the client tunnels. You will never see it being used when routing packets to backend, etc its only used internal within the MAG/SA device. The reason its configurable is this IP has to be unique on your network (does not have to be on any specific subnet, etc) so in the event 10.200.200.200 already exists on your network then you need to change the parameter, else there is no need to change.
... View more