The tunnel port can be set to any number not in use on the policy server and then the same number is to be used on the client servers in the pm.settings file.
For more information please read the PM for sudo 2.0 guide available for download here:
https://support.oneidentity.com/privilege-manager-for-sudo/2.0/technical-documents