When ITCM starts, it will basically collect all inventory information and then it tries to send this information to SS, generally if a machine is connected from outside network this communication details will be sent to SS which are then forwarded to DM.
At this moment is when the outside network IP address come into picture. This information will be with DM and SS and they will be using it to try to reach the agent computer again.
So, if a firewall rule is created on the Windows Firewall (or any other firewall on the DM and on the SSes) to exclude such traffic both on DM and SS, then DM and SS will not be communicating with IP addresses other than the customer corporate network.
To put it simple, Agents send this information, which is later used by SS and DM as these machines will have those details which were earlier sent by the Agent machine.
Using local firewalls on the Domain Manager and the Scalability Servers to avoid these communication to addresses outside the corporate network should solve the problem.