Stymied NAT multiuser failing TCP - P2P works

Ok… very rarely post in forums as normally being a lurker has normally worked, now I am stymied.
Situation: Jitsi on Ubuntu 18.04 behind a NAT for a secondary school.
Multiuser work fine on LAN.
One on one users fine outside of LAN - using WAN and NAT.
Multiusers fail outside of NAT.
I have reinstalled twice and followed advanced quick guide:
in sip-communicator-properties… (note: ip covered for privacy)
org.jitsi.videobridge.TCP_HARVESTER_PORT=4443

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.x.x.x

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=203.x.x.x

in Chrome://webrtc-internals have this so harvester works:

a=candidate:1 1 ssltcp 2130706431 10.x.x.x 4443 typ host generation 0
a=candidate:3 1 udp 2130706431 10.x.x.x 10000 typ host generation 0
a=candidate:2 1 ssltcp 1694498815 203.x.x.x 4443 typ srflx raddr 10.130.176.43 rport 4443 generation 0
a=candidate:4 1 udp 1677724415 203.x.x.x 10000 typ srflx raddr 10.130.176.43 rport 10000 generation 0

Ports opened on Firewall on NAT - no firewall on internal Ubunutu 18.04 - not needed.
Netcat tested on both remote and local box.

administrator@vco : ~ $ nc -vz 203.x.x.x 443

Connection to 203.x.x.x 443 port [tcp/https] succeeded!
administrator@vco : ~ $ nc -vz 203.x.x.x 4443

Connection to 203.x.x.x 4443 port [tcp/https] succeeded!

administrator@vco : ~ $ nc -vuz 203.x.x.x 10000

Connection to 203.x.x.x 10000 port [udp/*] succeeded!

Connections succeed on local Ip address as well.

getting this in jvb.log:
JVB 2020-04-03 09:32:36.112 WARNING: [9313] org.jitsi.videobridge.EndpointMessageTransport.log() SCTP connection with 2b546360 not ready yet.

JVB 2020-04-03 09:32:36.112 WARNING: [9313] org.jitsi.videobridge.EndpointMessageTransport.log() No available transport channel, can’t send a message

and this in Javascript console:
Logger.js:154 2020-04-02T22:33:48.419Z [modules/RTC/BridgeChannel.js] <e.value>: Bridge Channel send: no opened channel.

Please note I have broken and repaired this many many times. I cannot figure out why the transport is not working as ports are open and chrome is seeing the ip addresses from the harvester. It must be tcp as p2p works fine externally. I cannot set up a TURN server as we have no more IP addresses.

Your support is very appreciated.
Many thanks.

Further to this.

Compelelty purged jitsi and reinstalled Ubuntu 18.04 using quick guide. All works internally.
Externally P2P no problems its at the job where things fall apart more than 2 people.

on reboot job.log:
-04-04 11:37:15.694 INFO: [29] org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover: Discovered public address 210.x.x.32:59450/udp from STUN server 13.237.235.12:443/udp using local address 10.x.x.43:0/udp

2020-04-04 11:37:15.696 INFO: [20] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.MappingCandidateHarvester, face=/10.x.x.43, mask=/203.x.x.59

2020-04-04 11:37:15.696 INFO: [20] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.StunMappingCandidateHarvester, face=/10.x.x.43, mask=/210.x.x.32

2020-04-04 11:37:15.696 INFO: [20] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Initialized mapping harvesters (delay=2117ms). stunDiscoveryFailed=false

2020-04-04 11:37:15.699 INFO: [17] org.ice4j.ice.harvest.AbstractUdpListener.: Initialized AbstractUdpListener with address 10.x.x.43:10000/udp. Receive buffer size 10485760 (asked for 10485760)

2020-04-04 11:37:15.707 INFO: [17] org.ice4j.ice.harvest.SinglePortUdpHarvester.: Initialized SinglePortUdpHarvester with address 10.x.x.43:10000/udp

Chrome://webrtc-internals showing:
a=candidate:1 1 udp 2130706431 10.x.x.43 10000 typ host generation 0
a=candidate:2 1 udp 1694498815 203.x.x.59 10000 typ srflx raddr 10.x.x.43 rport 10000 generation 0
a=candidate:2 1 udp 1694498815 210.x.x.32 10000 typ srflx raddr 10.x.x.43 rport 10000 generation 0

We are behind a huge Department firewall. The external 203.x.x.59 address is designated and NATed to the internal 10.x.x.43 internal address and you can see the raddr in the 1st candidate:2
second candidate:2 is the ISP 210.x.x.32 address from which the 203.x.x.59 is part.

For the first time reinstall set a stun server in sip-communicator.properies:

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true

org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443

org.jitsi.videobridge.ENABLE_STATISTICS=true

org.jitsi.videobridge.STATISTICS_TRANSPORT=muc

org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost

org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.meet.wonthaggisc.vic.edu.au

org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb

org.jitsi.videobridge.xmpp.user.shard.PASSWORD=OxAQoKdt

org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.meet.wonthaggisc.vic.edu.au

org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=38f8a873-0a6a-47a6-aaec-7c4ee634f201

(i set the internal and external addresses as per firewall advice)
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.x.x.43

org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=203.x.x.59

The stun server: meet-jit-si-turnrelay.jitsi.net:443 MUST be finding the ISP host number.
Why would this be happening and what setting have I left out in the NAT on the DMZ.

BTW ALL ports (TCP and UDP) are open between 203.x.x.59 external and 10.x.x.43 internal.

Looking forward to some help and thanks in anticipation.