The first device is unable to connect with APNS servers to submit the Push id or Second APNS server is unable to establish the connection with the Marketing server. Can you raise a support ticket with Tech Ops? They are better suited to help you as they will have access to logs.
If you can convince your security team to expose the internal Marketing instance to the public internet, then no additional servers needed. It's safer and more reliable to ingest tokens via an ETL process instead of from the app directly though.
SDK should be installed for the tracking feature either way, which is direct to public tracking server.
You shouldn't need to use any additional server for this as far as I know.
If you go to the deployment wizard in your instance by going to tools, advanced, deployment wizard. Then navigate to the 'access from the internet section' and use the URL's highlighted below for the marketing and tracking server.