The way in which the Web server manages web sessions is using specific ports. By default this is random, which as you have observed creates an issue with firewalls.
You can restrict the range of ports used for sessions via
Administration Control -> Access Policy
Then down the bottom is a section called HTTP Configuration
Here you can configure the ports that can be used for administration sessions.
So 2002 is always used for the initial login, and then once sucesfull the admin will be placed on to one of these ports.
Only one admin per port, so only opening 2 ports means that only 2 admins can have concurrent access.
Once you have determined how many admins you want to have concurrent access, select an appropriate port range and open this up in your firewall as well