You have to make an exception  or "hole" in your firewall.

The normal TSM backup client data comes through on port 1500 (by default).
So your firewall administrator has to put in the firewall config that
"traffic to/from address xxx.yyy.zzz on port 1500 is allowed through".

It's a normal thing that a firewall administrator does.
However, if your site has a NO HOLES security policy, then you're stuck and
can't do it.

Tivoli doesn't care whether you do it or not, as far as I know; it's a
network routing issue.

We do it with no problems, although we had to also config the firewall for a
longer timeout value for that traffic.  Sometimes there will be no traffic
on the TCP/IP session for a while as the TSM client goes noodling around in
it's filesystem to find things to back up, and the firewall will assume it's
dead and try to terminate the session.  If that happens, just allow it a
longer timeout value.

That's a non-network-person's explanation of what you have to do:  I'm sure
some of the network gurus here can give a more technically correct one!