I have seen this behavior as well. This should actually not be an issue with automatic tunneling putting the communication into the cvfwd port (8403) anyway. Unfortunately I have seen that in really locked down environments it may take a while for the software to realize that ports are closed and to move over to tunneled comm.
easiest fix would be to use network topologies - which I would recommend anyway as using all those high ports is a big attack surface anyway - even if windows firewall would open them based on the program rules - it’s still better to just tunnel communication on a single port … hence network topologies