The best answer is to get a Management Gateway Appliance and just open port 443 (SSL) to it, and nothing to the core.
Otherwise there is not a single port that can be opened, it's really a lot of ports depending on what part of the technology you want to use. I highly recommend against trying to do that, because you will end up poking so many holes in the firewall your DMZ will become nearly worthless.
Thanks a lot for the reply.
I thought about the implications of opening ports like that and that is why I asked.
We have a landesk gateway so I think that would work better and be safer.