Firewall Configuration (bi-directional):
Mandatory Firewall Ports:
TCP 1433: Default SQL Port
Optional Firewall Ports:
TCP 334: RDP
TCP 9090: SEPM Remote Management Console
Firewall Configuration (bi-directional):
Refer to the Management Server List assigned to the client group to determine the communications port the SEP clients will use to communicate to the SEPM. Default values are:
TCP 80 (MR2 and earlier)
TCP 8014 (MR3 and later)
TCP 443 (secure communications)
NOTE: You may consider using non-standard ports for communication as another layer of protection. This communications port is configurable in the Management Server List assigned to the client group.
Push deployment port that needs to be open
TCP 139 and 445 on management servers and clients
UDP 137 and 138 on management servers and clients
TCP ephemeral ports on management servers and clients
Overview of Push Deployment Wizard in Symantec Endpoint Protection 12.1
https://www-secure.symantec.com/connect/articles/overview-push-deployment-wizard-symantec-endpoint-protection-121
Symantec Endpoint Protection 12.1: Installing the Manager for the first time and deploying clients
http://www.symantec.com/business/support/index?page=content&id=TECH163580
Edit...
Check this artical.
http://www.symantec.com/business/support/index?page=content&id=TECH92051&locale=en_US
Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
http://www.symantec.com/docs/TECH178325
http://www.symantec.com/connect/articles/sep-121-best-practice-license-other-articles