Thanks for that the key ports are already available as per the document. I have tailored rules for MR4.
The problem is registering a client to be managed where the client is the other side of the firerwall and windows sharing is not allowed through the firewall.
The initial registration of the client through the SEPM looks for the workgroup name and this then fails to register the client computer.
Also with the deployment of client packages is there an alternate mechanism as it rather than a shared directory that will still allow for automation through the SEMP GUI
Again thanks for the comments both were helpful but not the solution