NLA ports?

So big boss wanted all ports blocked to our “jumpboxes” except 3389 and ssh. No worries.

Get call at 5am, gee nobody can login! I allow SMB standard ports but keep getting NLA errors.

Anyone know what ports to allow for NLA to work correctly. It’s 6am and I haven’t had coffee yet and haven’t found much when searching.

I did an allow all until I can get coffee, pants, and big monitors :D

(This was wide open until yesterday. Asked to move jumps to a new zone and secure by only allowing 2 ports. So I did. Rather anticipated this issue, but NLA!)