I hope all is well. You seem to have this all sorted based on your comments added to the screen capture and the documentation reference you have cited as well.
But, never hurts to walk it through and ensure that clarity is just that, clear.
Let's start with the port issue. Port 443 is used for communication to download updates from Microsoft, but it is also allowed by default in most firewalls, and would not be an issue here, as the problem centers around communication between internal and external WSUS servers, not Microsoft and a WSUS server.
Ports 8530 and 8531 are used for WSUS to WSUS server communication IF the servers are version 6.2 and later. Server 2016 is later than version 6.2
As stated directly in the documentation:
2.1.2. Connection between WSUS servers
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used
The firewall on the WSUS server must be configured to allow inbound traffic on these ports.
Now, let's discuss the SSL requirement for a virtual directory.
Again, back to the documentation, specifically in section 2.5. Secure WSUS with the Secure Sockets Layer Protocol
Configure SSL on the WSUS server - WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. When you configure WSUS to use SSL, consider the following:
You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. WSUS encrypts update metadata only. if a computer attempts to retrieve update files on the HTTPS port, the transfer will fail.
You should require SSL for the following virtual roots only:
You should not require SSL for the following virtual roots:
The do require / do not require guidance is clear.
This is one of those questions where you jut have to know the details and answer accordingly, as this is the way the WSUS product is designed to be deployed and configured.