Traffic initiated from the Protected Resource to the VPN Client can pass through the VPN tunnel using NCP Client Software.
There is a limitation of Dynamic-VPNs using Pulse Client Software that prevented traffic initiation from remote protected Resource to Pulse client (refer KB21800).
VPNs established between SRX from NCP clients support traffic initiated from remote ​protected resource.
VPNs established between SRX devices and NCP Client software allow for traffic being initiated from either from the VPN client or from the remote protected resource using a route-based VPN concept allowing the bi-directional session setup.
Note: Juniper specific NCP client is available for SRX deployments using Junos OS 15.1X49-D80 or higher by using NCP Exclusive Remote Access Solution for Juniper SRX Series.
Refer to the following links for NCP:
Topology:

Client(NCP_Client_Software)----(ge-0/0/0)_SRX_(ge-0/0/1)----Remote_protected_resource(1.1.1.1/32)
Configuration on SRX:
Phase1:
set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$9$0/S5OhrW87Vs4xNjH.mTQhSy"
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "win1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/0
set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
set security ike gateway remote-vpn1 version v1-only
Phase2:
set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 1.1.1.1/32 <-- Remote_protected_resource to which client wants to reach
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0
Access_profile:
set access profile aaa-prof1 authentication-order password
set access profile aaa-prof1 client win1 firewall-user password "$9$K2yWXNs2aikPdbkP5Q9CKM8"
set access profile aaa-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 30.1.1.0/24 <--Subnet from which IP assigned to Client
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32
Other configuration:
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone VM_SRX_340 interfaces st0.0
Security policies for bi-direction traffic:
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match source-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match destination-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match application any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX then permit
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match source-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match destination-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match application any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM then permit
On NCP Client:
Add the remote-protected resource subnet under split-tunneling (Configuration > Profiles > Edit > Spli_tunneling)
Verification:
root@srx340-r2012# run show security ike active-peer
Remote Address Port Peer IKE-ID AAA username Assigned IP
10.1.1.2 10952 win1@juniper.net win1 30.1.1.1
Client to remote-protected-resource
C:\Windows\system32>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reachibility from Remote_protected-resource to Client
root@srx210he2-r2323# run ping 30.1.1.1 source 1.1.1.1
PING 30.1.1.1 (30.1.1.1): 56 data bytes
64 bytes from 30.1.1.1: icmp_seq=0 ttl=127 time=3.336 ms
64 bytes from 30.1.1.1: icmp_seq=1 ttl=127 time=3.526 ms