In order to ensure secure communications there should be no communication at all outside of the secure tunnel created from the SDC to the SDM / Spectroserver.
It is a requirement that there are no entries in routing tables providing alternatives routes to / from the SDC / SDM.
None of the devices should be contactable from the Spectroserver- If they are in a DMZ / secure zone then this should be the case but some customers environment in the past have had this and then that would mean SDC <-> SDM is not the only way communication can be made.
The secure communuication can be initiated from the SDM or the SDC but and once the commucation is started it is bidirectional. It is not possible to only have communication from the SDM -- > SDC only or SDC -- > SDM.