You are seeing MPKI certificate errors popping up in events for the servers in Servers and Detectors Overview for the Enforce Server:
<Yellow alert> 4205 Managed PKI Service certificate expires in <x> days.
<Red alert> 4202 Cloud Service Renewal Enrollment: error requesting client certificate from Managed PKI Service.
Release :
Component :
The Cloud Certificate for your DLP Cloud Service is good for 3 years from the original Enrollment date, and is about to expire. The 4205 Event Code appears when the existing certificate is within 30 days of expiry.
For customers on Enforce version 15.8 and above, the Cloud Service Gateway initiates the renewal of this certificate through an automated process, shipping the new bundle to Enforce.
Afterward, the DetectionServerController service attempts enrollment of the Renewal Bundle. If access to the PKI Manager is not obtained, this fails with the 4202 Event Code.
Ensure that the Enforce console services have outbound access on port 443 to the following URL for the PKI Manager:
https://pki-scep.symauth.com/
Changes to your network proxy or firewall should not require any action on the Enforce server. The re-enrollment should be successful at the next attempted upload.
If this requires changes to the Cloud Proxy Settings on Enforce, however, ensure the DetectionServerController service is restarted afterward.