If in your setup your external email domain is customer.com but your internal domain is customer.net for example unless the wildcard certificate contains the internal *.customer.net as well the clients will warn that the server cannot be trusted this is due to the fact that the certificate does not have the relevant information. But before you go away and purchase the additonal SAN’s on the wildcard certificate there is a work around for this using Exchange PowerShell:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://cas.customer.com/Autodiscover/Autodiscover.xml
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://cas.customer.com/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://cas.customer.com/OAB
Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.
Enable-OutlookAnywhere -Server CASServer -ExternalHostname “cas.customer.com” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False
As by default the URL’s will be the server names with the .net or .local whichever you have internally.
This will resolve those issues for you!