If you have a firewall which monitors/block outgoing connections you have to allow the Machine running the BES server to connect to port 3101 to the RIM servers.
If you need to restrict this not only to a port but to a range of IP Adresses, read this KB article: KB03735-Firewall and connection requirements for the BlackBerry Enterprise Server, BlackBerry Device Service, and Universal Device Service
and configure your Firewall appropriate.
There is no extra firewall rule needed or an open port to your blackberry server or DMZ. Normally your firewall should automatically allow related traffic to the outgoing traffic to port 3101.