The best way would be to use XO Proxies as "Reverse HTTP proxies" (or any reverse proxy in each DC) and then tell XO to connect to those proxies.
This way, each DC will have only one entry point exposed to the outside, and you could manage that with your central XO.
This is a subject we planned to work in the next months. If you have a support subscription, please open a ticket so we can do initial test inside your infrastructure 🙂