HTTP (80) is the default port agents use for retrieving their tasks from the console,
HTTPS (443) is the SSL port that can be enabled from Settings. When enabled, all Http connection requests will be forwarded to Https,
NATS (4222) (optional) is used for pushing tasks to endpoints in real-time. In case this port is not allowed in your environment, AIR uses HTTP(S) polling as its default task retrieval mechanism.
Notes on Firewall Rules
Console installer automatically adds inbound allow rules for the above ports to Windows Firewall.
On the other hand, endpoint installer doesn't set any firewall exclusions and it is your responsibility to make sure enterprise firewall policies allow endpoints to access console over these ports.