If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB Defense Device Services before it is routed to the Carbon Black Cloud. The Carbon Black Cloud only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).