If the customer has a firewall between the K2000 and the clients they are trying to push an operating system to, the following ports need to be open:
80 -- HTTP
139 -- SAMBA share
135 -- SAMBA share
445 -- SAMBA share (Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UDP).
22 -- SSH (outbound only for tethers)
22 -- SSH for syncing to RSA and single sign-on
389 -- LDAP (if using LDAP authentication)
636 -- LDAPS (if using secure LDAP authentication)
67 -- DHCP
69 -- TFTP
4011 -- PXE
8108 -- Media Manager
These ports also cover communication between the K2000 and an RSA.
The customer will also need to ensure that the routers / firewalls are setup to allow DHCP to traverse them (BootP protocol) if clients span across them.
K2000 does not have a built-in firewall. The K2000 is not recommended for DMZ operations, only for operation on the internal network.