Most of the ports that are used only need to be open in an outgoing direction, for a home network routers and firewalls usually allow all ports to be open in an outgoing direction. However on an enterprise network it is often the case that only specific ports out and to specific addresses are opened.
For example, port 80 (http) might only be open in an outgoing direction for traffic from a corporate proxy server and this means all other devices are forced to send their http traffic via the proxy server.
More specifically to the case of APN, see http://support.apple.com/kb/ht5302
To make this clearer, ports 2195 and 2196 need to be allowed out from the Profile Manager server to Apple's servers. As you mentioned Apple's servers use an entire 17.0.0.0/8 block i.e. 17.anything and you therefore need to allow to any 17.x.x.x. number. Tell your IT people (the truth) that the entire 17 block is officially registered to Apple. I can tell you that I have worked in a Government department and had no problem getting this authorised because it is necessary and true. Similarly port 5223 also needs to be allowed out from the Profile Manager server to the same Apple block.
Note: Ports 2195, 2916, and 5223 cannot go via a proxy server, not even a SOCKS proxy server.
Ports 443, 80, and 1640 on your Profile Manager server all need to be reachable by your client devices. If your client devices connect internally e.g. on an internal WiFi that is part of your internal network and don't go via the FireWall then you would not need to alter anything, however this is extremely unlikely especially as your are using iPhones which almost defacto will spend most of their time outside your network. Therefore you will need to allow those ports in to the Profile Manager server from any address on the Internet. Furthermore the DNS name of the Profile Manager server needs to be resolveable on the Internet e.g. profile.example.com.
This would normally mean the Profile Manager server needs to have a public IP address rather than a NATed private IP address. However if you run a 'split-horizon' domain where internally profile.example.com resolves to the internal private IP address, and externally profile.example.com resolves to one of or only public IP address and you have your router 'port-forward' that to the internal IP address then this will also work.
The way all this works is basically as follows.
- The Profile Manager needs to send a new profile to an iPhone to do this it tells Apple's APN servers that there is a message for a specific iPhone (Profile Manager has no idea what address to use to reach the iPhone but Apple's APN server does)
- The iPhone will be regularly talking to Apple's APN server and hence Apple's APN knows its address, the iPhone receives a message from the APN server saying 'you need to call home to the Profile Manager server at address xyz'
- The iPhone then 'phones home' to the Profile Manager server via port 443
- The Profile Manager and iPhone are now able to communicate directly and the updated profile is delivered to the iPhone
In other words Apple's APN server acts as a middle man.