So in essence, Port 80 redirects to 4000, but 4001 and 4002, still go to their respective paths, so all three fall under the SSL certificate.
A fall back would be to just allow access to 4000, 4001 and 4002 without the port 80 redirect, which would require the user to enter https://mydomain.com:4000 to visit the site, if that's easier to set up.