The Host Checker mechanism is a security scanner for the Juniper VPNs, in the same vein as Cisco's CSD and GlobalProtect's HIP. It is also used by the Pulse Secure protocol but support for running it with the Pulse protocol is not included in OpenConnect yet.
Many sites require a Java applet to run certain tests as a precondition of authentication. This works by sending a DSPREAUTH cookie to the client which is attempting to authenticate, and the Java code in tncc.jar then runs and communicates with the server, handing back a new value for the DSPREAUTH cookie to be used when autnentication continues.
This Java applet is a black-box binary provided by a server outside of the client's control, and therefore has similar security concerns to Cisco's CSD trojan.
OpenConnect supports running the Java binary, or emulating its behaviour, by passing the --csd-wrapper=SCRIPT argument with a shell script.
The OpenConnect distribution includes two alternative scripts to support the execution or emulation of Host Checker, in the trojans/ subdirectory:
tncc-emulate.py: This Python 3.x script does not actually run the tncc.jar binary. Instead, it emulates the behaviour of the tncc.jar binary, rather than actually executing it. Because this script does not actually execute a server-provided binary, security concerns are greatly alleviated.
It may require configuration or customization to work with VPNs that have modified the behaviour of their Host Checker binaries in some way; consult its source code for details, starting with the list of environment variables that may be set to overridden some of the data that it sends to the server.
This script is based entirely on tncc.py from russdill/juniper-vpn-py on GitHub.)
With either of these scripts, it may also be necessary to pass a Mozilla-compatible user agent string:
./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=trojans/tncc-wrapper.py vpn.example.com