What ports need to be open for OpenEdge Replication through a firewall

What ports need to be open on a firewall for OpenEdge Replication target database server
Is there an additional port or range of ports that need to be opened on the firewall in order for the source RPLS to communicate with the target RPLA?
Bi-directional ports for the replication Server process to communicate with the OpenEdge Replication Target and back again?

To allow the Replication Server and Replication Agent(s) to communicate through a firewall, apart from the target database Broker port (-S), the Agent listener ports that the rpagent process starts on (listener-minport, listener-maxport ) must be open on the firewall.

1. The target database Broker port is defined by :

• The Service (-S) target database startup parameter
• The port value listed in the [control-agent.agent] section of the source.repl.properties configuration file.
• The control-agent.agent port defined in the configuration sourcedb.repl.properties file is the same as the -S Service value used to start the target database. They are referred to differently by the various code-path network communications.
• [control-agent.agent1]
  .....
  port=4501

2.    The Agent listener ports

• The listener-minport and listener-maxport aren't known until after the RPLS is able to connect to the target database Broker listener port
• Once the RPLS is connected to the target database login broker port, the rpagent (RPLA) takes a port in the range defined by the listener-minport and listener-maxport range defined in the [agent] section of the target.repl.properties configuration file to communicate with the RPLS.  
• Replication uses 1 tcp/ip connection between the replication server (RPLS) and agent (RPLA). This range be reduced down to as little as one port if it can be guaranteed to always be available, but not advised.   When DSRUTIL is used to failover or failback it will open a connection peer on the other end depending on the failover configuration set. DSRUTIL -C MONITOR does not use tcp/ip at all.
• The replication agent listener-minport port must not start with the same number as the port defined for the replication target database in the sourcedb.repl.properties file under the control-agent.agent1 section
• The Service Port (-S) the target database is started with must not be be part of the listener-minport listener-maxport range. 
• If two target databases are configured, then consider all agent port definitions
• If replication failover or OpenEdge 11.7 replication sets are configured, there is also the 'agent' port of the source database to consider
• The default values are:

• The target database Server Ports (-minport, -maxport) will also need to be opened in the firewall if clients connect cilent/server to the target database with a Replication Plus License. For further information refer to Article  Which ports needs to be open on a firewall between a remote client and the database?   
• If Port Scanning software is used, these ports also need to be excluded from being scanned, otherwise unexpected failure will result. Refer to Article  Port Scanning software causes RPLA process to terminate   

Progress Article:

OpenEdge Replication Agent and Server terminates after connection failure