Heartbeat Connection to Cloud is normal HTTPS. However - If a cloud managed Endpoint in local network matches to that cloud registered copernicus firewall in place, they finally start communicating directly among each other if heartbeat is configured. That´s more or less the basic procedure.
Not sure if I am allowed to already expose more details about how endpoint /firewall matching procedure happens and under which conditions they start to communicate among each other at this time. I assume one of the responsible PM´s (which are also reading in that forum) might add details here or in official KB articles, when this information officially gets public.
Thanks for update....I am asking since my Cloud Endpoint cloud not connect to heartbeat services and I am getting info in McsHeartbeat.log that Notify Connection failed...status in Cloud Endpoint console is not connected, but status of Copernicus FW is "Active / yes".
It looks like you have successfully registered your firewall with your Cloud account if you can see in the Network Tab of the Cloud console that the firewall is active. It also looks like the endpoint has the Security Heartbeat policy as it attempting to connect (to the address and port you've indicated).
What I would check now is that the endpoint has that firewall as the gateway - the firewall intercepts the connection attempt to setup the Security Heartbeat connection.
One more question regarding heartbeat. HB protects endpoints on local network behind SophosFirewall. What about the scenario where endpoint client - laptop is outside local network and get infection that compromises current AV client. The alert is seen in Cloud console and endpoint computer connect through VPN (split tunnel) on central SF. Will there be any communication between cloud console and SF to prevent VPN connections from "non-compliant" endpoint computer? Or to prevent access via Business policy - reverse proxy to internal resources?
One more question regarding heartbeat. HB protects endpoints on local network behind SophosFirewall. What about the scenario where endpoint client - laptop is outside local network and get infection that compromises current AV client. The alert is seen in Cloud console and endpoint computer connect through VPN (split tunnel) on central SF. Will there be any communication between cloud console and SF to prevent VPN connections from "non-compliant" endpoint computer? Or to prevent access via Business policy - reverse proxy to internal resources?
