Port 7389 is LDAP traffic between UCS hosts. This is encrypted to protect credentials and other sensitive information. Even if you don't wish to switch encryption off for this communication you can try to limit the amount of data to be transferred, by setting up slave DCs on all sites, and/or limiting the LDAP scope to be synchronized. (I didn't find a HOWTO document at first spot, but I feel this can be done)
Regarding port 1024 I don't exactly know. It belongs to Microsoft's default port range for RPC communications. UCS hosts acting as a Windows DC (using Samba4) use it the same way. I'd suppose it's encrypted, too.