Hello Tom,
This is a simple matter and surely can be done.
Here is the ports you need, but be ware of some caveats, read at the end for details on those.
Management interface access from outside in on port 8443
AP firmware upgrade and other functions port TCP 11443
AP Stats and other info on port 91
AP to controller communication and configuration updates, etc.. port 22
AP to controller registration on port 443
Wispr portal on controller 9998
AP hosted WISPr portal 9997
API access for SWIPE and other tools on port 7443
AP to dataplane tunneling for client data if you are tunneling to the controller on port 23233 TCP/UDP on this one
All ports are TCP with exception of those mentioned
You do not need ports 12223 and 12222 unless you have legacy APs currently in ZoneDirectors that you want to migrate.
Now, caveats:
All ports listed above should be targeting your control plane/management plane with exception of dataplane ports listed 23233 which should be targeting your data plane of the controller.
This is true if you configured the SZ100 in a two port group configuration, if you use one single IP for the entire unit and a single port group, then all ports should target that IP when you do your PAT at your firewall/router.
Hope this helps.