Here is the ports you need, but be ware of some caveats, read at the end for details on those.
Management interface access from outside in on port 8443 AP firmware upgrade and other functions port TCP 11443 AP Stats and other info on port 91 AP to controller communication and configuration updates, etc.. port 22 AP to controller registration on port 443 Wispr portal on controller 9998 AP hosted WISPr portal 9997 API access for SWIPE and other tools on port 7443 AP to dataplane tunneling for client data if you are tunneling to the controller on port 23233 TCP/UDP on this one All ports are TCP with exception of those mentioned
You do not need ports 12223 and 12222 unless you have legacy APs currently in ZoneDirectors that you want to migrate.
All ports listed above should be targeting your control plane/management plane with exception of dataplane ports listed 23233 which should be targeting your data plane of the controller.
This is true if you configured the SZ100 in a two port group configuration, if you use one single IP for the entire unit and a single port group, then all ports should target that IP when you do your PAT at your firewall/router.