For ePo 4.6,please follow this chart.
1.Agent wakeup 8081
2.Agent broadcast UDP 8082
3.Security threats comm Http 8801
Port Default Description Traffic direction Agent to server communication port 80 TCP port opened by the ePO Server service to receive requests from agents. Bi-directional between the Agent Handler and the ePO server and inbound to the Agent Handler from the McAfee Agent. Agent communicating over SSL (4.5 and later agents only) 443 By default, 4.5 agents should communicate over SSL (443 by default). This port is also used for the remote Agent Handler to communicate with the ePO Master Repository. Inbound connection to the Agent Handler from the McAfee Agent. Agent wake-up communication port
SuperAgent repository port
8081 TCP port opened by agents to receive agent wakeup requests from the ePO server.
TCP port opened to replicate repository content to a SuperAgent repository.
Outbound connection from the ePO server/Agent Handler to the McAfee Agent. Agent broadcast communication port 8082 UDP port opened by SuperAgents to forward messages from the ePO server/Agent Handler. Outbound connection from the SuperAgents to other McAfee Agents. Console-to-application server communication port 8443 HTTPS port opened by the ePO Application Server service to allow web browser UI access. Inbound connection to the ePO server from ePO Console. Client-to-server authenticated communication port 8444 HTTPS port opened by the ePO Application Server service to receive RSD connections. Also, used by the Agent Handler to talk to the ePO server to get required information (like LDAP servers). Inbound connection to the ePO server from the Rogue System Sensor. Outbound connection from remote Agent Handlers to an LDAP server. Security threats communication port 8801 HTTP port hosted by McAfee Labs for retrieving security threat feed. Note that this port cannot be changed. Outbound connection from the ePO server the external McAfee Labs server. SQL server TCP port 1433 TCP port used to communicate with the SQL server. This port is specified or determined automatically during the setup process. Outbound connection from the ePO server/Agent Handler to the SQL server. SQL server UDP port 1434 UDP port used to request the TCP port that the SQL instance hosting the ePO database is using. Outbound connection from the ePO server/Agent Handler to the SQL server. Default LDAP server port 389 LDAP connection to look up computers, users, groups, and Organizational Units for User Based Policies. Outbound connection from the ePO server/Agent Handler to an LDAP server. Default SSL LDAP server port 636 User Based Policies use the LDAP connection to look up users, groups, and Organizational Units. Outbound connection from the ePO server/Agent Handler to an LDAP server.Agent-to-Server communication is supported over a NAT, however Agent wakeup calls will not work over a NAT. Additionally, communication over the Data Channel (used by products like Endpoint Encryption for PC 6) will not properly work over a NAT until ePO 4.5 Patch 4 and McAfee Agent 4.5 Patch 2 or later are installed.
Install an ePO server or Agent Handler in the DMZ to manage the external clients and one in the Internal network to manage only the Internal network clients.
Ensure that the following ports are opened on the firewall allowing agent communication to the ePO server in the DMZ for the internal and external clients:
80 (bidirectional to the External clients only) - Agent-to-Server port (listed as ServerHttpPort in the EPOServerInfo in ePO 4.x)
In my View DMZ DNS server design is best practice, as compare to ask your internal DC for Name Resolution, and for Remote McAfee Agent Handler I never heard about Seprate DNS in DMZ.