If your concern is the Firewall guys, then simply state that you need the same ports required for a Windows system. We just make things work.
If they need a reference, they can review the port requirements:
- TCP 53 (DNS) - without name resolution there's no communication. Period. This means that A and SRV records must be resolvable by all systems on each side of the trust relationship.
- TCP 3268 (Global Catalog): In AD, a domain controller with the Global Catalog role contains a partial replica of all objects in AD. Global Catalog placement has performance implications.
- TCP and UDP 389 (LDAP): This should be self-explanatory.
- TCP 445 (modern Server Message Block): This is optional, but required for GPOs used for config management.
- TCP 88 (Kerberos KDC): Self-explanatory; this the port for Kerberos communications.
- TCP 464 (Kerberos password change): This is the port for password change operations
- TCP 123 (SNTP): This is optional, to sync time with the domain controller's Windows Time Service.
- Ephemeral ports(*): These are often overlooked, but these are the high-ports used for socket communications.
You have commands like adinfo -T [domain.name] and adcheck that help with these tasks.
The canon is here: https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
Note: We are not using SASL; our application leverages NSS, PAM, modified MIT Kerberos libraries and our Shared Objects.