KG yes come to think of it - it does have a technote of best practise somewhere regarding Exchange 2013 OMA.
Enterprise Vault 10.0.3 and later: Requesting and Applying an SSL Certificate
http://www.symantec.com/business/support/index?page=content&id=HOWTO83452
Ideas to work around this? here are a few
- Well you can use internal certs for your internal server and use a application firewall/proxy/gateway(TMG/f5) to do the link translation to your internal domain.
i.e. https://mail.externaldomain.com/enterprisevault (using ext cert) -> https://evserver.domain.local/enterprisevault (using int cert)
Obviously internally you will have to ensure the internal certs are automatically enrolled via AD GPOs
Split Brain DNS - i.e. you create a DNS record for your external domain internally
i.e. mail.externaldomain.com -> private ip and evserver.externaldomain.com -> private ip
It's a bit tricky but this will allow your external certs to resolve and work internally.
http://exchange2010admin.blogspot.com.au/2013/10/exchange-configuration-with-split-brain.html