That is an odd one. For my money, I'd be curious to find out if you use a proxy in your environment, and if the SEP Client traffic (and obviously http traffic) from your endpoints is being routed through the proxy.
This should be easy enough to tell via the browser for the logged on user's session, but would require enabling sylink logging if you wanted to find out if SEP was doing the same (under the SYSTEM account).
As it stands though, the secars test is clearly more reliable. Telnet'ing port 8014 is just quicker/easier that rummaging out the secars URL is all, and still serves as a useful preliminary indicator. There are no other ports used for client communications (unless you have a custom configuration).