The IQService provisioning agent calls functions exposed by Microsoft’s .net packages that are a "black box" that communicate to Active Directory indirectly. Identity Security Cloud does not control what port numbers these APIs leverage to interact with Active Directory. Microsoft publishes a list of ports that the .net API and ADSI interfaces use to communicate with an Active Directory server. Were a firewall to be placed between IQService and the Active Directory domain controllers it would need to be exceedingly permissive by opening a large number of dynamic ports. The complete list of ports is published by Microsoft here: Active Directory and Active Directory Domain Services Port Requirements.
This is the companion discussion topic for the documentation at https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/ports_used_with_ad.html