I'm unsure why exactly blast needs the firewall enabled, but with an exception to allow the traffic. However this is what it states in the admin guide, and for various customers of mine who have faced the same issue enabling the firewall and then the blast exception has resolved the issue.
Most of my customers are only using blast externally with View Security Servers, which also require that the connection server has the firewall enabled anyway, to create the IPSEC tunnel between connection and security server. You could put your Connection servers in their own OU and create a new group policy to enable the firewall just for these servers