Do I need to change firewall rules for incoming traffic?

No. LoginTC services do not connect directly to on-premise Connector appliances. It is the on-premise appliance which reaches out when necessary.

For example, when a user is authenticating the Connector will send a secure authentication request to LoginTC and will then poll every second for the result until the request timeout is reached.