Should I install all modules in one box?
It depends how many Network Elements you plan to monitor.
I advise you to read the the page 26-28 of the Orion Administration Guide.
The Orion Modules have to be installed on the top of the Orion NPM application except for Orion NCM one which can run as a standalone application. Engineer's Toolset can be integrated with Orion and its module but does not need to be on the same box.
ipMonitor is a standalone product that should be installed on different server.
Which ports to be open on firewall (apart from tcp/17777) ?
The TCP port 17777 needs to be opened only if you spread the applications on multiple servers, e.g. Orion NPM on a server and Orion NCM on another one.
Orion NPM => SNMP (UDP port 161), SNMP Traps (UDP port 162), PING (ICMP), Syslog (UDP port 514)
NetFlow => UDP Port 2055 by default (can be modified)
APM => WMI (TCP Port 135), SSH (TCP Port 22), SNMP
Wireless Monitor => SNMP
ipMonitor => SNMP, SNMP Traps, WMI
NCM => Telnet (TCP port 23), SSH, TFTP (UDP port 69), SNMP
Let us know if you need more details somewhere, I think I listed all the ports but if anyone has something to add, do not hesitate.