Do I need to change firewall rules for incoming traffic?
No. LoginTC services do not connect directly to on-premise Connector appliances. It is the on-premise appliance which reaches out when necessary.
For example, when a user is authenticating the Connector will send a secure authentication request to LoginTC and will then poll every second for the result until the request timeout is reached.