UCS Director integration with APIC is over HTTP(Port 80) or HTTPS (Port 443) protocol.
UCS Director acts as a client and APIC controller acts as a server. (API provider)
If only HTTPS is enabled on APIC controller, then you need to open port 443 on firewall (Direction is: UCSD --> APIC)
Since UCSD is client here, it uses any random port.
As of today there is "NO" integration from APIC controller back to UCS Director, i.e. APIC controller is calling UCS Director API over HTTPs. So you do not need to open any firewall port from APIC to UCS Director.
Hope it clarifies.