I cannot recall the exact details any longer, but I believe we ran into the same problem with our dashboard hub when we originally set it up. I believe we had to put a public IP on the server. Like you, this was not something we could do easily in our environment, so one of our engineers came up with a clever solution that worked. We gave the server a private IP address, but instead of configuring NAT on the firewall, we added a loopback adapter (available as a built-in NIC driver in Windows) with the public IP address. Then we configured the firewall with a static route pointing traffic destined for that public IP address to the private IP address of the dashboard hub.
It is kind of a strange setup, but it worked like a charm. The other thing we did was move our "first tunnel port" on the dashboard hub to TCP 50000, so we did not have to worry about probes and tunnels battling for the same TCP port range. This way we could open up just a few ports, although I do not remember the exact list of ports opened. (I could probably look that up if it would help.)
As you work on this issue, please keep us posted on your progress, especially if you find a solution that works for you.
Regards,
Keit