What is the best way to restrict MECM clients to a specific server for all MECM needs?

We have dozens of clients in an isolated development network.  A server on the same network has the MP and DP roles, and the firewall has been configured to allow that server to communicate with all other necessary site systems in the production network.  The firewall has also been configured with rules to allow all clients on this development network to use the necessary ports/protocols to communicate with the SUP in the production network.  We’ve noticed that many of the clients in that development network make unsuccessful connection attempts to other site systems outside the development network.  Why are they attempting to do this?  We have an AD site for the subnet of this development network, and a corresponding boundary group.  The boundary group is configured with the local site system server.  I have enabled the “Clients prefer to use management points specified in boundary groups”