How do I add an exception to the firewall for a specific port on an unmnaged client running SEP 12?

You would need to create an allow rule for that port. Under NTP select configure firewall rules. You can add a new rule and edit as needed. Once done save and move to the top

See this

Firewall policies on unmanaged Endpoint Protection clients

http://www.symantec.com/business/support/index?page=content&id=TECH105725

Easy once you know where it is.  Thank you.

Of course, it doesn't help.  Installing SEP 12.1 seems to break every server I put it on so I can't use them.  If they do work they're really slow.  The only answer seems to be removing the application altogether.

Break how? Stops communication? What if you only install AV?

The unmanaged client has a more stringent policy then what managed has and managed is much more manageable. I have NTP running on all my servers so I'm curious as to what you're seeing.

I'm still working through the process.  What I've seen is a Hyper-V host which was unusable over RDP because it was so slow - the clients seemed OK.  Another Hyper-V host blocked HTTP on a guest machine when I installed SEP even though it wasn't installed on the guest.  With SEP on the DNS servers my VPN didn't work.  Generally the machines are very slow to respond across the network with the Symantec software installed, file shares and other services take significantly longer than they should.  I would just use the AV but if I'm going to use Symantec I need the firewall too, otherwise I'll have to find another solution.  Since the real requirement is that the servers do their job I've had to remove it for now until I have a chance to spend more time on it.

I imagine that given time I can sort it all out but I really don't need an update to a piece of software I was already using stopping everything from working properly.