I would recommend putting a sniffer and gather port information off of there, before the firewall is in place.
Typically an ICT should use H323 TCP ports from 1024 through 4999 for control signalling. Most times RTP media stream will need to be terminated through an MTP (either software or hardware), so you would also have to open up RTP traffic (UDP port 16384 through 32767)
To answer your other question about Phone to CCM communication, I would recommend looking at CCO and search for "callmanager tcp udp port". Depending on the version of CM you have you will find various documents specifying the ports.
HTH
Sankar
PS: please remember to rate posts!
Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus