I used tcpdump to capture all traffics on the good probe, and found all the ports that the probe has send a SYN on, they are:
8443 or 8080 depending on if HTTPS or HTTP is used.
note: the command I used is:
tcpdump -i eth2 host SAMHOSTNAME and 'tcp[tcpflags] & tcp-syn == tcp-syn'
hope this helps.
Note: I've learned a new way of identifying those blocked firewall from my friend James, if you run following command quick enough you should be able to see what's wrong:
netstat -an|grep SYN