Additionally looks like SEP Client eventually will use server from "Last Successful Connection" becuase without switching MSL back to 443 client is able to connect :) and sylink is not updated on client. It's still like HTTP only:
<Server NameSpace="rpc" VerifySignatures="0" HttpsVerifyCA="0" HttpsPort="443" HttpPort="8014" Address="x.x.x.x"/>
whereas MSL with 443 HTTS will look like this:
<Server NameSpace="rpc" VerifySignatures="0" HttpsVerifyCA="0" Protocol="HTTPS" HttpsPort="443" HttpPort="8014" Address="x.x.x.x"/>
Brain can You confirm that SEP is acting like this ? (case of the same server)
Another conclusion is that syLink will be not replaced if You import wrong one (to which client is not able to connect). I've checked trying to import sylink from different server with modified IP.. couple of tries on Wireshark .. sylink not replaced .. after few minutes communication brougth back to the right SEPM server :)
Brain can You confirm that SEP is acting like this ? (case of sylink import with wrong server inside)
Nevertheless communication must be happeing over HTTP (8014 i.e) if I want to consider certificate replacement :)