VPNs make it possible for remote sites and users to become an integral part of a private network, independent of location. But doing so adds risk. If a remote user's device happens to be infected with a virus, worm or trojan, those network-borne threats can ride the VPN tunnel right into the private network.
Most contemporary VPN concentrators incorporate features intended to mitigate these risks. For starters, many can run an endpoint security scan when the VPN tunnel is launched. If required endpoint security programs are running and up-to-date, the VPN tunnel is allowed. If not, the VPN tunnel is either denied or the user is routed to a quarantine server where they can obtain missing software or patches.
Next, during a VPN session, granular role-based policies can be used to limit what the user can do -- for example, giving someone on a home PC very narrow access to email and nothing else. In this way, an infected endpoint might not be able to penetrate the network, or to steal very much sensitive information.
Finally, after the session, most SSL VPN concentrators have the ability to clean up after themselves by removing temp files, wiping the browser cache, deleting cookies and closing the browser window. This isn't endpoint security per se, but it can help to avoid accidental data breach when VPNs are accessed from public or multi-user endpoints.