Is a Multiple Domain SSL Cert necessary for Exchange?

Question

We have a client with an external domain of abc.com and an internal domain of xyz.local. I see a lot of articles stating that for Exchange you should have a multi-domain cert that has Subject Alternate Names for both the external and internal domains. However, we have a couple clients that have only the external name covered in the certificate and it seems to be working fine. They aren't receiving SSL error messages in Outlook or when accessing OWA. Can anyone explain why a cert that covers both the external and internal domain name would be necessary? Are there circumstances where someone could skip the internal domain without consequence?

As pointed out in the comments I could have phrased my question better. Can someone give any good reasons to have a cert that covers both internal and external domain names? This is suggested by this DigiCert article: http://www.digicert.com/ssl-support/exchange-2010-san-names.htm I've also seen Microsoft TechNet articles say something similar.

Answer 1

The name you use in the connection to the server is the one which is used for validating the certificate and this need to be included there. But, which name you use for connecting depends on your setup: it might be an internal name only, but it might also be the external name in case you have a split-DNS, i.e. different IP for the same hostname when resolving from inside or outside.

Answer 2

Really this should be Joe's, as his comment is basically the answer...but to bring it home I guess:

Can someone give any good reasons to have a cert that covers both internal and external domain names?

Most shops that run Exchange do so for their own employees. As such employees often work on their computers on the internal LAN that the Exchange server(s) are on, and resolve these server's to internal DNS names.

At the same time, such employees use smart phones, work from home, work during traveling, etc. and need accessibility via ActiveSync, Outlook Anywhere, OWA to use the Exchange servers "services". Thus requiring resolution to EXTERNAL DNS names.

Typically internal and external domain names aren't the same (both in regards to hostname and domain name).