80 / 443 (TCP HTTP / HTTPS) on the Worker server. Requires outgoing access. The autodiscover process attempts https to the CAS servers for connecting to Exchange mailboxes. If that fails, it uses port 80 as a last resort. If Exchange / autodiscover / EWS are set up properly, only port 443 should be necessary.
3268 or 3269 (TCP). Requires outgoing access. It uses one of these ports for LDAP lookups to the global catalog host, which is the primary database server for Active Directory.
Port 3268 for plaintext and 3269 for SSL (recommended).
53 (UPD). Requires outgoing access. It's the port used by DNS. Retain utilizes DNS lookups during its autodiscover process.