Network ACLs - locking down the Quest box and Netvault box

Has anyone created any network switch ACLs for locking down their Quest boxes and Netvault boxes?

We've got a VLAN dedicated purely to our quest box which has a virtualised Netvault box running off of it, these are both on VLAN5.  All of the virtual standby machines, bar the Netvault machine, that run off the Quest box are on separate VLANs.  

The Quest box and Netvault machine are both off the Domain, both configured with static ips and only connect to the Domain DC for DNS. They do communicate and replicate to a 2nd Quest box at a different site though as well.

edit:

Just an additional bit of information looking at firewall logs and switch logs.

Over the past week, the below ports have been used by the Quest and Netvault box.

8009 - Quest Agent (used to backup servers)
8006 - Replication to the other Quest back off site
3389 - RDP
443 - HTTPS, used for communicating with the licensing server at Quest.
20031 - This appears to be Netvault related
445 - File sharing for moving mounted data off to the domain machines to restore files/folders
13000 - Antivirus