Hello - your IT security team has to make the server hosting your portals' web adaptor visible to the outside. If you are not using web adaptor, and/or are using web authentication through IIS, and/or are only using the base deployment, then I don't know that anything else I add below applies.
Our org uses F5, a type of proxy server that controls external web traffic to our org. The server hosting the web adaptor is then given an alias name like "ags.yourorg.net" (or .org or .com, whatever you use) and assigned our organizations CA-signed certificate, because you must use https.
Each server hosting the other components of enterprise, such as portal, server and data store, must also be aliased using DNS, like gis1.yourorg.net, gis2.yourorg.net, etc and also assinged your org's CA-signed certificate.
If you don't have these alias names in place and an assigned CA cert on all your machines then collector will fail to update any data.
You then disable anonymous access to your portal. This forces everyone trying to connect to ArcEnterprise externally to login through portal's security. So instead of everyone connecting http://machinename:7443/arcgis/home they are connecting to https://ags.yourorg.net/portal where portal is the name of your web adaptor.