If the software really depends on incoming connections on port 8443 and has to be reachable from the internet on multiple servers in the local network, then it's failure by design and the programmer probably has no idea what he is doing. As explained above, it won't work that way. Inside a network, this is no problem as a client can easily establish connections to multiple servers in the network at the same time and on the same port. Simple example: Network shares. It's no big deal to connect multiple shares at the same time - all running on the very same SMB/CIFS ports but on different servers (means: different destination IP).
Coming from the wan, it's different. Why? Simple, NAT. Contrary to the above example of several client-server connections with seperate destination IP addresses, an internet router masquerades the clients behind him so there is only one destination (looking from the wan side) - thus only one server. This is by design and the software you are talking about won't work that way as it could connect to one single server only, the one defined in the single port forwarding for 8443..
A possible solution could be port translation. As long as the client software from the internet supports connections on different ports, you could try the following:
- all servers on the LAN run internally on default port 8443
- seperate port forwardings with translated ports in router (see example below)
--- forwarding#1 --> wan-port 8443 --> forward to server#1 :8443
--- forwarding#2 --> wan-port 8444 --> forward to server#2 :8443
--- forwarding#3 --> wan-port 8445 --> forward to server#3 :8443
This is probably the only way to ensure that every server on the local network is accessible from the wan. Using one forward for all servers simply won't work, no matter what you do.
Apart from port forwardings, a VPN could be a solution as well. When a client connects to a VPN server in the network (like the ER), it can be configured as if the client itself would be IN the LAN. That way, the client could access the servers with their LAN ip address instead of connecting to a WAN ip - or even custom urls like "server1.mylocalnet". Maybe that's your best bet.
But let me add some questions to your description as I might have misunderstood:
1) Client opens browser from outside the local network, right? Like from office#1 in chicago (client) to the wan ip / url from office#2 in shanghai (servers)?
2) What is actually tunneled? Is this some kind of custom VPN or what?
3) Deamon runs on the server machines or on the client machine? What does it actually do?
3a) If it runs on the server machines, does it trigger an outgoing connection (server#123 --> router --> wan --> client)?
3b) If it runs on the client, does it trigger a new connection (parallel to the browser connection on tcp 80) from the client to the server?
The direction of the connection is important. Regarding the router, an outgoing connection (LAN --> WAN) is no problem. Every consumer router out there handles dozens/hundreds of parallel connections from multiple computers in the local network to multiple servers in the internet on the very same port, tcp 80. That's basic browsing. An incoming connection on the other hand, is different as the router itself is the destination (his WAN IP) and it has to decide what to do with the traffic - drop, deny, allow and forward it. That's what the firewall in the router does (drop/deny/allow) and the port forwarding, also known as destination NAT.