If I were to put a TA900 Adtran behind a router and enable port forwarding to mitigate DDoS attacks which TCP/UDP ports would be needed to forward to allow the Adtran to function?
You shouldn't need to put the TA 900 behind another router/firewall if you have it properly configured.
Make sure you look over this security document for guidelines:
Security Best Practices for AOS Products
I am assuming you are doing SIP trunking, then if so all you need is to allow SIP UDP 5060 in on the TA 900 firewall from the IP address of your softswitch. block everything else that is not needed.
Another feature is turning on firewall stealth (ip firewall stealth) which disables Internet Protocol version 4 (IPv4) Transmission Control Protocol (TCP) reset for denied IPv4 firewall associations.
Let us know if you have further questions.