Communication between the Connect Servers inside and outside the DMZ is automatically encrypted and no certificates are required for this.
In the DMZ scenario, only the Connect Server in the DMZ must be allowed to establish outbound TCP connections to ports 443, 2195, and 2196 if push notifications are to be used.
(WebServer) <-> XPhone Connect Server
All connections to the server are encrypted. The necessary certificates are temporarily created randomly at each start, so that the probability that certificates can be "stolen" is extremely low. This is possible because the certificates are only used for encryption and not for authentication, as is the case with UC2011.
The web application logs on to the server like an ordinary user, and also uses the intended authentication for this, i.e. integrated Windows logon or username/password. This is somewhat different to the Edge server in UC2011, which has authenticated itself with this certificate in order to be able to connect to the UC2011 server at all.
The only port currently relevant is 2230.