Access to TCP ports 80 and 443 on the proxy and STS hosts should be permitted from both the internal and external networks. The reverse proxy only requires ports 80 & 443 to be open by default to communicate with the STS server; only the proxy should be deployed in the DMZ.
If Smart Card authentication is being used then a separate port is also required for this, by default that is port 8443, but it can easily be changed to any free port the user requires.
The STS host should also be permitted to access the internal web applications through any specific ports that they use.
Port 8553 is the admin port used to configure the Cloud Access Manager Proxy. The proxy host downloads its configuration and then locally uses port 8553 to load the configuration. Ensure that port 8553 is not already being used by another application. If port 8553 is already in use, enter an alternative port number in the Cloud Access Manager proxy Installation Wizard. This port does not need to be open on the proxy host for Cloud Access Manager to function.
The SQL Server port default is 1433 but is configurable. The STS Server must be able to communicate to the SQL Server port.
To check if you can connect remotely to SQL server run the following from the command prompt on the STS server when logged into Windows as the Cloud Access Manager Service User:
sqlcmd /S DB Server Hostname[\INSTANCE]