What ports need to be opened on firewall between search head and the app/index server?
It depends what you all have configured - as you saying you "only" have a search head connection to index server I reckon, you open 8089.
Here a little list which may help:
Splunk UI 8000
Distributed Search 8089
Further, you may have a look on your system what ports you listening to: netstat -a