The communication between clients and SEPMs is secured with digital certificates, different per each SEPM installation. If they are in replication, they share those certificates to allow the client roaming otherwise it is not possible. When you replace the sylink.xml, you are replacing the certificate as well on that client, that's why it works. I don't know your LU policy to explain why it works, I suspect it is set to use LU servers.
To workaround it, you might disable the secure communication:
Clients > select a group > policies on the right > General settings in blue > Security settings > uncheck the last option.
Test it for a small group, if it meets your needs, you can do the same for the other groups.
By doing it you allow the clients to connect and interact to any SEPM, including a fake one for hacking...