The Auth Connector (BCCA) is installed on a member server. To establish connections to various destinations/servers/public domains on certain ports, all these destinations and ports are required to be open and unrestricted.

Web Security Services 

Auth Connector 

Authentication: (BCCA.exe)
Port 443 to auth.threatpulse.com (199.19.250.193 & 199.116.168.193)
Port 443 to portal.threatpulse.com (199.19.250.192)

Note: In an IPSEC deployment, BCCA must also be able to talk to the same data pods authentication servers where the IPSEC tunnel terminates. Please refer to Unified Agent in failed close state & Unable to connect to the Internet and Authentication IP Addresses by Data Center for more details. For other deployments, all the data pods authentication servers need to be reachable by BCCA.

Authentication: (ACLogon.exe - login script for sending logged-in credentials directly to BCCA.)
Port 80 from all clients to BCCA server

Roaming Captive Portal:
Port 8080 to proxy.threatpulse.com

SAML:
8443

Internal ports: (between BCCA server and Domain Controllers)

• 139,445 TCP
• 389 LDAP
• 3268 ADSI LDAP
• 135 Location Services / RPC (RPC may also require other random ports for End-Point Mapper which not listed here)
• 88 Kerberos
• 1024 to 5000 Endpoint mapper (opened by RPC).  However, it is possible ports over 5000 are used depending on your Active Directory (AD) configuration. Refer: How to configure RPC to use certain ports and how to help secure those ports by using IPsec.