Can Salt Stack minions communicate with the salt master from behind NAT/Firewalls, etc., using standard ports that would be open be default in all consumer NAT routers (and without the minions having a public DNS record or static IP)?

I'm working my way through my first salt tutorial, and this is where I'm stuck.

I am able to configure iptables on the Ubuntu salt-master. But I have no control over the routers/NAT that the minions will sit behind.

So far I tried these settings:

/etc/salt/master:

publish_port: 465
ret_port: 443

/etc/salt/minion:

master_port: 465

That did not work.

Background:

I have a custom developed application presently running on about 40 Kubuntu laptops (& more planned). Every few months I have to update the application. (Often this just amounts to replacing a .jar file, which requires root permissions.) I also have to run Ubuntu updates and a few other minor things. I've been doing it manually, one by one, using Team Viewer to log into each client.

I would like to dramatically improve this process. The two options I'm aware of are either:

1. use reverse ssh tunnels and bash scripts. I tested this and it works. But I don't get any of the reporting, etc., I would get with Salt Stack.

2. use Salt Stack (or similar) management tool. But I need a really simple tool. I can't invest any time in a big learning curve.

I looked at Puppet and a bunch of related tools. The only one I found that looked simple enough for me (so far) was Salt Stack. But I'm stuck now because my minion can't reach the salt-master, as stated above.

I appreciate suggestions.