Security Heartbeat & Inbound rule

Question

Hi, I hope this isn't a dumb question -- I've only just started looking at XG Firewall. 
 I have laptops out in the field, and I'd like the patch management system I use to be able to keep in constant contact with them, as most field users have no real need to ever turn on VPN. 
 I'm wondering if it's possible to create an inbound rule to the patch management server that will only permit the connection if it's coming from a machine with a valid Security Heartbeat status (I have Endpoint Advanced licenses for all my clients) 
 If this was possible it would be amazing, but it could also be that I've completely misunderstood how this feature works! 
 Many thanks.

ChrisKnight · Answer

The process of the endpoint talking to the firewall for heartbeat functionality is listed here: 
 https://docs.sophos.com/nsg/sophos-firewall/v17.1.1/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FHeartbeatConfiguration.html%23 
 If the scenario you mentioned involves Windows on the laptops in the field and Windows Server(s) at the patch management system end, then DirectAccess is a very good fit with what you're trying to achieve. 
 https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/directaccess 
 You get the added bonus that Security Heartbeat will work in this scenario as the DirectAccess IPSec tunnel is up well before Sophos Endpoint needs to exchange Heartbeat status with the Firewall.