I’m in the same boat you are in. I have an Exchange Server 2003 (its a DC and GC) and I used the Comodo 30 day free SSL Certificate, and I also have a TZ 170 enh firewall.
My MX records are set on my main DC/GC server i’ll call Echo1
My Exchange Server 2003 Svc Pk2 is setup on Echo 2.
Echo 2 is not a member of the forest of Echo 1
Domain on Echo 1 is Echo1.com
Domain on Echo 2 is Echo2.local
Exchange Server 2003 on Echo2 is functioning. When I installed the RPC over HTTP/S side, it did not configure Exchange Server as a Front End server on RPC over HTTP/s.
The only 2 options its giving me is a back end server or not part of the topology.
I am able to get to it via VPN on the TZ 170, but like you, am unable to get to it without the VPN connectivity.