OK, you need to open the following TCP ports on the AMS:

  • 6011 (for communication between the agents and the AMS)
  • 6002 (for communication between the console and the AMS)
  • 6000 (used only for enumeration of computers on the network) – not that important

and also

  • 5033 (for updating from the mirror) – this is standard HTTP protocol (if your firewall allows settings protocol-specific rules)