If you need to deploy the SCOM agent from your console that is in a DMZ but the server is still in the same domain as your SCOM management server and can establish Kerberos authentication then you will need to consider opening up additional ports over and above the standard port 5723
Long story short here is a small list of ports that are very helpful in order to conduct an agent push from the console. NOTE:- This is in addition to the official Microsoft document.
Bear in mind that you can close these ports after the installation, but you won’t be able to repair or upgrade (cannot remotely manage) agents from the console.
As a final point, each environment is different with different security settings. I highly recommend to use the official System Requirement document (http://technet.microsoft.com/en-us/library/dn249696.aspx) from Microsoft, as a starting point. It contains exactly was is needed and you cannot go wrong. Then ask your Security team if the ports mentioned above are closed, if they are, add them to your list!