By default, each SEP client connects directly to the SEPM (via port 8014 on the SEPM server) to get latest policy/settings and to upload logs and to enquire about the latest available definitions updates. The client can be configured to download the updates via GUP (a GUP is just another SEP client designated/promoted to locally distribute definition updates in the local LAN/subnet) to avoid repeated download of same definition file from the SEPM to the clients of a LAN/Subnet. But the normal client-server communication happens directly between the clients and the SEPM (not via GUP). And just to confirm, a client that doesn't have connectivity with the SEPM will not even try to contact the GUP (even if the GUP machine is in the local LAN and reachable).
Hence the port 8014 should be opened on the firewall that is between the SEPM and all the clients.
Alternate workaround:
If the only machine (per LAN, that connects to SEPM) is a proxy server, then you can configure the clients to connect to SEPM via proxy server using IP forwarding. But then you will have to dedicate the SEPM server only for SEPM.