Endpoint Encryption

Hello and thanks in advance,

I am in the process of prepping Symantec Endpoint Encryption in our enterprise. Will be deployed through GPO. Some policies passed down are dictating specific levels of security, specificly in this case not to expose internal names to the external internet. I need our external SEE clients to be able to "check in" I would like to use a name that is not actually on out internal network for the URL that SEEMS uses. How ever i can not seem to build a client package that will point to the "fake" name. I get ssl/tsl error. My thought was to add an A record to DNS that points the fake name to the real host's ip.

Real server something like: realinternal.domain.com ( ip 1.1.1.1)

External: seems.domain.com ( A record points to 1.1.1.1)

So, im stuck, i even tried using new selfsigned certs with the "issues to" name being seems.domain.com and still ssl/stl error. So I guess my questions are:

1) is there a way to make exactly what I am trying to do work and if yes how?

2) could I create a 2nd server for internal to sync with and put this on a seperate VLAN or DMZ zone and how?

3) is there some other way I have not thought of yet?

4) any other suggestions?

Thank you for reading and responding to this?

There are a few things that need to work in conjunction here.  The name you are using for the Web Server must exactly match the certificate issued for it, which must also match a DNS entry.  That being said, I have been able to generate self-signed certificates using Powershell that will validate and allow package creation, and you can designate any host name you like.  The certs generated this way are for testing purposes, according to Microsoft.

You also need to make sure the certificate you are trying to use is added to Trusted certificates on the server, as well as in IIS.