At a minimum the Horizon Agent needs to be able to communicate with the connection servers on TCP 4001/4002 (Depending on your configuration only one of these is needed).
Then it depends on if you are using tunneling/security servers/UAG, the display protocol and the communication you want to allow.
Can you provide us with more details of your deployment?