TCP ports 49152 and 49153 are listening ports in the endpoint for Touch Panel auto discovery, so this ports will permanently remain listening.
From the Touch Panel's perspective, I don't know what is the port used (as a source of the auto discovery packets), so I would need to do a lab and verify the source port.
If the SX is registered to a Cisco VCS or Cisco UCM, then there is no need to use a public IP, as per the Firewall Traversal feature of the VCS/Expressway, which allows endpoints with private IP, to communicate directly with Public IPs via the VCS/Expressways.
At this point, in the latest software versions of the SX codecs, there are no much security vulnerabilities, at least that are known, though using a public IP address in the endpoints is less secure than using private IP address behind a firewall.
I hope this is of help.