Please use the forum search function or google, there are often interesting posts, like this:
https://supportforums.cisco.com/thread/2163177
If full management is wanted the TMS should be on a public ip or port forwarding / reverse proxy shall be used.
If either the TMS or the endpoint is behind a firewall or nat you will loose some functionality.
In general you can live with the endpoint being able to reach tcp/80, tcp/443 (basic management and phonebooks)
and optional udp/162 for traps (most likely only mxp systems).
Check out the generic TMS documentation:
http://www.cisco.com/en/US/products/ps11338/tsd_products_support_series_home.html