If users outside of your internal network will need to connect to your server then you will need to open port 5222 in your firewall. If you are going to federate with other server (i.e. exchange messages with other XMPP servers) then you will also need to open port 5269 in your firewall.
Clients that are not using a firewall do not need to configure anything on their side. If they have their own firewall they will need to configure it so that their application can open outgoing traffic to your server. Usually that is not needed but some places with high security like to block outgoing traffic. Clients will use a temporary port to connect to the port 5222 on the server. That temporary port (aka Ephemeral port will change each time they connect but as I said firewalls do not care about them unless they are too restrictive.