1. You need only to permit TCP connections on port 900 from agent to server, unless the default port was changed during the install of InTrust. You don't have to explicitly open any other port in either direction, but the firewall must be configured to allow response traffic (Server -> agent) within the connection an agent establishes with server via port 900. Communications are always initiated by the agent but then, when the connection is established, communications are bidirectional.
2. Data from untrusted domains can be collected with or without agents (if you specify appropriate credentials in the site properties).
3. However, if using an agent with a firewall, InTrust agents in these segments have to be installed manually, not through Deployment Manager.
4.The repositories can be consolidated through the firewall, as long as port 900 is open bidirectionally.