We use connection-aware type firewall rules and they work great for us... In your case the first question I would have is do you use a ePO agent handler to provide communication when off network? If you do then only using the requirement for the ePO server to be reachable won't work for when off your network.
If you go under the Host IPS Catalog you need to configure what is called Location groups. This is where you can set the requirements which one of them is ePO reachable. We use both DNS IP and DNS Suffix for our requirements.
We are not using agent handlers to the outside of the network, thus the reason for the rule. We would like specific firewall rules when the customer is off the corporate network. We are also not using HIPS anymore but firewall on endpoint 10.
Hi Johann, I just took a look and it appears that the firewall wall rules work the same for endpoint 10 or HIPS. I would suggest duplicating the default rule and then create a new group which at that point you can set the location aware settings. Attached is picture of the default with a location-aware group and one rule for any any traffic to show you what I am talking about. All groups that have a location-aware set will be blue in color as well.
So basically anything above the blue location-aware group works when inside or outside network as well as anything below. Any rule under the location-aware group you would only have when inside network.