The purpose of a firewall is to increase security by blocking communications and allowing communications with only certain ports, such as 80 and 443 for HTTP and HTTPS traffic.
By default, the LoadRunner Controller uses TCP port 50500 to send data to TCP port 54345 on the Windows Load Generator.
The Load Generator sends information back via a dynamic port, through the MI Listener.
To avoid having to beg Network Administrators for more ports to be opened, on each load generator machine inside the firewall, from

Start > Programs > LoadRunner > Advanced Settings > Agent Configuration (launch_service\bin\AgentConfig.exe)

install the (Monitoring Over Firewall machine) MoFW/RoWF agent.

Check the option “Enable Firewall Agent”.  It collects performance counters and sends them to a controller over a firewall. MoFW communicates with the MI Listener through port 443, so you can’t have any web servers (like Apache WebTours, IIS, or Oracle HTTP servers) running on both the machines.
Verify whether port 443 actually allows communication by running command and substituting the ip address in:
telnet 443
This should open a telnet window.

UNIX Load Generator uses a dynamic port that cannot be fixed.
When defining a “remote” load generator from within the Controller, click “Details” for the “Load Generator Information” dialog, where you can click the “Firewall” tab and check “Enable Firewall”.
Courtesy :