Most firewalls are also routers. You would likely not have to change them twice. 61067 (I think the AC port) is an internal port that wouldn't be changed on the external firewall. The external firewall is just to keep outside traffic from accessing your network. Example, AC client needs to access AC database via 61067.
Even though everything is denied by default, you would likely not have any issues leaving it that way. It is only certain ports that would need access like https (443) and http for web traffic. Special ports such as 3189 and 987 for RDP and SharePoint would need to be opened. That said, with 2008 servers and up, you have gateways which allow RDP to securely bypass the router. This makes things MUCH, MUCH safer. SharePoint you probably don't need. The last good example is if you had Exchange and you didn't use POP3. Say you used the infinitely better SMTP. You would have to open port 25. So basically 443 and 80 would be the only two. Keep in mind that those ports are open when you access them. So, if you access Yahoo.com, port 80 will be open but only to Yahoo.
Say you bought a Cisco RV042G, this is a router/firewall like most. All you would need with static IPs (7 but can only use the middle 5m -- if you purchased 5 -- a good number), then you will need your main outside IP, your outside default gateway, your subnet, usually 255.255.255.248 (for public subnet -- inside usually 255.255.255.0), your DNS numbers of your ISP (have to have). Your private or inside default gateway is the subnet, usually 192.168.1.1, but it can be 0.1 or 16.1 -- many but must match the default gateway of your clients.
If your router (firewall) has a wizard, it is simple. If you do use a server, there are a couple of more steps and your DNS servers would be on the server. Hugely imperative for a good network.
