We have a fairly large deployment of 25k+ clients, all in Pull mode. Server is RU6 MP3, and we plan to move to 12.1 in a couple of months.
Via a physical firewall, we see occasional instances of the SEPM server(s) initiating contact with clients. It affects a very small minority of clients, seemingly at random. My understanding of Pull Mode was that all connections are initiated by the client. I have devised a possible explanation, and I would be grateful if someone with more klnowledge / experience could confirm.
At the Heartbeat, the client checks in with the server and posts its log files, reporting in effect "I am client ABC with Definitions DEF, using Policy GHI and I have (no / some) infections to report." The client posts its logs to a folder on the server, from which they are processed to the DB. If, in processing to the DB, the server realises that the client policy has been updated, it will send the client a new policy. If the client connection is still open, the policy is delivered via that connection, but if there is a sufficient lag between the client posting the logs and the server processing them to the DB, the client connection will have been dropped so the server has to open a connection back to the client to send it a fresh policy.
Can anyone confirm if my explanation is accurate, or can you offer another explantion for the SEPM initiated connection?