It would be nice to be able to take Running-Config and Startup-Config snapshots using Tunneled mode, but use SCP for pushing OS images.
Tunneled transfer mode works for all devices in 13 data centers, but then we cannot backup the device OS using OS snapshots. In order to fix that, we switch them all to SCP. The problem we run into there is that some devices specifically deny SSH outbound, so the Junipers across the network cannot be backed up. We also have firewalls that allow SSH outbound from BNA to the devices in another building, but not back from the device to BNA. Ideally we could update the firewalls to allow that traffic to initiate from the routers, and we could update the Juniper devices to allow SSH file transfers, but when you're talking about 5000+ devices in a change-controlled environment, it would be much easier to be able to iteratively address the devices and still get backups