Let me start off by saying that I always install the MIM service and Portal on the same server. I have seen a few places where they were installed separately and it was just an operational overhead to manage on day 2. Lets look at this Use case where you have internal firewalls being used, always a bad idea in my opinion, really, what do you gain? So, what do you need to open up to balance security and operation overhead in day 2? Note this is slightly different if you are dealing with an external firewall. External in this case does not have to be the internet it could be two subsidiaries in an Organization who don’t completely trust each other due to business or regulatory reasons.
Between MIM Sync and MIM server to all DCs, open all ports both ways. Quite a task if in Prod you have 50 DCs scattered all over the world. In general its best practice to point MIM to
1/ The nearest physical DC
2/ The most reliable DC
3/ The most powerful DC
4/ The least used DC
If all these qualities are in 1 DC, that will be the primary and then have a backup. MIM connects an initial DC and latches on to that DC literally forever unless you manually force a change. that is standard practice for all IDM products.
Between MIM Servers (Sync to Service and Service to Service) open these ports both ways
TCP/UDP 135 (RPC EPMapper)
TCP 135 (RPC EPMapper)
TCP 5000-5001 Dynamic RPC ports (PCNS)
TCP 57500-57520 Dynamic RPC ports (AD MA)
Between MIM Service/Portal and everyone open both ways