No settings on the Emby side, actually - which is the nice part. Only the Synology.
The source is what you're going to actually connect via https to whatever IP or dns name your synology is. I pickup port 8921 because it was available and it was "one up" from Emby's preferred https port. I'm not using Emby's secure port, but if I wanted to play with that in the future, I didn't want to use the same one and have a conflict.
Destination 8096 is Emby's default http unsecured port.
Lets say my Synology's IP is 10.0.1.100
When you connect, you'll use https://10.0.1.100:8921 - the Synology will automatically reverse proxy that to Emby. Hopefully your Synology is behind a firewall, so you'll need to allow port 8921 connections from the outside world if you're using Emby from outside. Don't open port 8096 as that would defeat the purpose of this.
I've tested this using the androidtv & roku clients in house (not really needed), and externally on my phone with the android app as well as various browsers. I don't have an Emby Connect account, so don't know if it works that way.