For agentless scans: TCP 137-139 or TCP 445 is require from the Protect server to the client. Protect will try both if one is blocked.
TCP 5120 is used to for Shavlik Scheduler communication from the Protect server to the client. It is not used bidirectionally.
TCP 3121 is outbound from the client to the Protect server. As you noted, it's only required if you want status updates from agentless deployments. (also used for agent communication back to the Protect server)
For the Distribution Server: If using an UNC share, TCP 137-139 or TCP 445 is require bidirectionally. This would be for syncing operations from the Protect server and then files request from the client to the Distribution Server. This setup isn't required (unless bandwidth is a concern) so you could remove the Distribution Server thus removing the need for outbound ports TCP 137-139 or TCP 445. You would have Protect push everything from itself
Let me know if you have any questions.