Hi Duncan, and welcome to the avast forums.
As you figured out, it's not exactly trivial to set this up. The reason is that there is a number of services in use by ADNM, and these communicate using different ports.
The following table summarizes most:
AMS- tcp/16111 - basic communication client -> AMS. Without this, nothing will work
- tcp/5033 - update mirror access. Necessary to get VPS and program updates from the local mirror (as opposed to getting them directly from the Internet)
- tcp/16102 - console access. No need to open this from DMZ (actually, a bad idea IMHO)
- udp/6000 - AMS discovery. Used only if currently selected AMS is unreachable
Managed machines- tcp/16109 - "Apply to..." feature. That is, this port is used to push new policies from AMS to the client when an admin uses the "Apply to computer" or "Apply to group" feature in the console
- tcp/16108 - Remote Virus chest access
- tcp/135, tcp/139, tcp/445, udp/137, udp/138 - these are standard RPC and NETBIOS ports necessary for remote deployment of the agents. For more info, please refer to MS website.
Morover, the "Verify offline status" feature uses standard ping (ICMP) packets to do its job, so if you want to use this feature, pinging from the AMS to the managed machines must not be blocked...
Hope this helps,
Vlk