I want to confirm my understanding of the network flow through a firewall so I can explain it to my customer.
So let’s assume I have relay A as my internal relay and relay B as the relay on the other side of the firewall.
My understanding is that if I need relay to relay communication to flow through a firewall, that firewall must allow TCP port 52311 open in both directions. This is required because relay A pushes site content to relay B and relay B pushes client results (i.e. files to be uploaded, heartbeat signals, etc) to relay A. In other words, communication through the firewall can be initiated by either relay.
Typically firewalls allow outgoing traffic. If they don’t allow outgoing traffic for some reason, then that is a more unusual case and could cause problems if it isn’t opened. It is typically the incoming rules on the hardware and software firewalls that are an issue.