Only port 443 is needed. The agent uses this to communicate with the APM SaaS instance (Enterprise Manager)
To double check the port (and the EM Host/DXI Server), you can review the agent profile.
Look for the setting "agentManager.url.1". This lists the host the agent is connecting to, and the port. The agent must be able to access this through the firewall.