You may have seen in the documentation wiki that TCP ports 443, 3306, 5900, 7900 and 7901 are used by PAM for clustering. The documentation does not make it clear that only port 443 shows as open when the cluster is not running. In addition, when the cluster is running, these ports will only be seen as open to cluster members. A port scan to a cluster member from a node that is not part of the cluster will show ports 3306, 5900, 7900 and 7901 as closed. Please keep this in mind when you perform port scans, to be sure that your firewall allows these ports through.
Thanks for the heads up