In SEPM - Clients- hightlight the group click on Policy on the right hand Side--
On the bottom below all the policies you will see a "+" Location Specific Settings
When you expand it...first one will be the Control mode ( default is server control )
I guess you have tested all the policies in Server Control since every thing was default.
Change the Server Control to Client Control ( all the logs can viewed in real time in Client Control )
But the Firewall Policies applied by SEPm are ovwerwritten by the local Policies..
So just for Troubleshooting purpose..
Change it to client mode..
Once policy is update
Open the NTP Logs-Check the time stamp ...run the WinVnc and check what traffic has been captured.
Once you have captured that information..
You can change the Mode back to Server Control and then we can modify the policy.