Happy New Year!
Currently there is no mechanism to block updates from secondary nodes, but it is easy to implement it.
Modifying or adding another protocol requires a lot of work, testing and maintenance. Maybe in this case you can make the primary nodes bind to the TCP port 80. If the firewalls just control by port number, then it may work.
It is as simple as:
If the firewalls inspect the packets and only allow HTTP, then it would not work.
One option would be tunneling of TCP on websockets (websockify and similars). But it may be hard on Android, and also "hacky". The implementation of websockets support on LiteSync would need to use libuv as the event loop library. I personally have no time for doing this.
I suspect that no customer company uses LiteSync with a million nodes, although I don't ask about their setups. 2 months ago I was testing a similar product to exactly support 1 million connections per server. Although it reached good numbers, it worked slower than expected (32 core 32GB RAM server) probably due to signature verification of messages (I still need to debug the cause, the test was under high throughput from secondary nodes). On your case only the primary node(s) would send data and LiteSync does not use digital signatures, so it would not have this problem. I can try to reproduce the test with LiteSync and share the results.