So far so good. The URL is correct, because its the external address. You also don’t need to publish both http and https ports. I only map external https to internal http but you can do https to https. No serious modern browser tries http first and because I always force https anyways, it doesn’t need to be public. Only the reverse proxy may need it, for Let’s Encrypt.
Both UDP aren’t needed for public access. I only have mapped 8096 to my reverse proxy and it works.