well that should be port 80/443 and port 53 perhaps to IP of openDNS.
but that is so easy you probably tried right?
i will depend if you use local networks on the IAP (which are NATed behind AP IP) or put your users in networks on your wired network, what do you do?