In order to run a VNC server behind a firewall, there are two TCP ports that need to be opened on the machine hosting the VNC server so that the service can listen on them. The exact port number depends on the VNC display number because a single machine can run multiple VNC services and each will run on a different pair of ports:
port 59xx/TCP, where xx is the display number of the VNC session.
port 58xx/TCP (this port allows connection by a web browser to a very small web server that is built into most VNC servers).
VNC viewer connects to:
port 59xx/TCP on the machine hosting the VNC server. (xx is the display number of the VNC session)
port 58xx/TCP on the machine hosting the VNC server.
Note: If you are running a viewer in 'listening' mode, where it accepts connections initiated by the server, it will listen for incoming traffic on port 5500/TCP, so you need to permit new incoming connections to this port on the internal machine running the VNC viewer.