By default Gateway Server initiates connection against Management Server over port 5723 (default port).
GTW > 5723 > MS
In that scenario you have to open Firewall port 5723 (default port) against AD environment where is placed your Management Server.
For some customers this scenario confronts security policy.
In SCOM 2012 we do have the option to change direction of initiation.
You can arrange initiation of connection from Management Server side instead, over port 5723 (default port).
MS > 5723 > GTW
How to do that:
During Gateway Server approving command you have to use additional parameter:
Your Management Server will try to reach Gateway Server, and you can keep your SCOM AD out of drilling holes from outside.