You're correct. SEPM will initiate connection with these ports on the client side when starting a remote push. The SEPM itself does not need these ports open in order to function correctly.
Additional info for reference located here:
http://www.symantec.com/docs/HOWTO81103