Hey Benjamin,
A couple of points;
That document is for Primary and Replica AM server communication, Older versions of ACE 5.2 to 6.1.x, and Those TCP ports 5505..5515 were database replication ports, so translate that to TCP port 7002 in AM 8.x
Authentication Agents, Windows Servers, VPNs from Cisco, Juniper, CheckPoint, the list goes on..., communicate to AM servers over UDP 5500, with some new agents that need IPv6 communicating of TCP port 5500. Windows agents in particular need access to TCP port 5580 on the AM servers for offline data and Windows Password integration. On an AM protected server or VPN, you would enter your TokenCode or PassCode, but it would be sent over the agent port, most likely UDP 5500, but in new and less rare cases over TCP 5500.
The software tokens (and hardware tokens for that matter) do not communicate when they are running, they are basically synchronized to what the AM server has for that token Serial Number, so both calculate the same tokencode at the same time.
With a software token Device, e.g. on a Smart Phone or Windows PC, you need the software token application installed for that Device, which you download from the Smart Phone App store or from RSA Link here, then you need a Token, or more specifically a TokenSeed. The AM server has to Distribute this software Token to the User it is assigned to, and that specific software token can either be a file (.sdtid extension) which you might email or hand deliver, or through an encrypted link known as CTKIP, basically a URL. This is communication between a Device and the AM sever. If you are coming through the Internet, you would need something called a Web Tier. If you were on an internal LAN inside your Corporate FireWall, the CTKIP URL would go against the AM Server TCP port 7004, which is also used for Self-Service and for Security Console Administration work, so you should not open this port to the Internet.
The attached PDF covers a lot of Software Token Basics
