WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network. Check out this quarters report on the threats that shook the industry in Q4 2017.
Here is a link on configuring SSL for RDS:
http://technet.microsoft.com/en-us/library/dd320345%28v=ws.10%29.aspx
I would just create an additional DNS record for the internal users:
e.g
external:
RDS.companyname.com - pointing to the external IP
Internal:
RDS.trusted.local - pointing to the internal IP
RDS.companyname.com - pointing to the internal IP
Once the RDS server is configured to answer on RDS.companyname.com external folks will get the external IP but the server configured for eXternal users
Internal Users will get the one configured for internal users.
Or you can simply create an A record pointing to the internal server that does not match and request a SAN name for the cert that matches that name e.g:
One cert with two SANS
Subject for external:
RDS.RDS.companyname.com
Subject for Internal
InternalRDS.companyname.co
All you would do is configure the external server to match the DNS name and the internal to match the internal DNS name.