This seems to be an issue with alot of people, but i am posting this anyways as there hasnt really been a good answer not to mention I am literally confused the more I work on this. If anyone has any help PLEASE let me know. I am beyond desperation.

Background Info:

We have an LCS 2005 Standard Server configured and working... the certificate for this is working fine for all internal domain users.

We do not have an LCS Director server.

The LCS Server is on our local network.. its fqdn is 'jupiter.domain.local'

Our Access Proxy is setup in our DMZ and is not joined to our domain... It has 2 DMZ IP's one for external edge and one for the internal edge. (this is seems to be a problem... how can a server have a FQDN if it is not on a domain of any sort?) This servers name is saturn.

I created a DNS record pointing from our external website that will be used for contacting LCS for public IM connectivity "im.domain.org" ... pointing to the external edge DMZ ip address.

We have a certificate from Equifax for the external edge and it is currently installed and seems to be working fine on the access proxy. (configured in the "public" tab of the access proxy; it also is using the dns name "im.domain.org") This is being NAT'd from our WAN ip to our DMZ "external edge" IP.

On the "private tab" I have configured the IP for our "internal edge" DMZ ip of the access server... (which has firewall rules setup to allow Port 5061 TCP to "jupiter.domain.local" and Port 53 TCP/UDP to "dnsserver.domain.local") (I have selected the same certificate we are using for our local domain clients that was created when we setup the LCS server in this tab... i think this is incorrect)

On the "internal tab" I have set the next hop server to "jupiter.ucnsb.local". I also added the internal SIP domains "domain.org" and "domain.local" and then in the Internal servers authorized to connect to this Access Proxy I input "jupiter.domain.local"

Also, I went into the hosts file on the Access Proxy "saturn" and set the internal domain IP 192.168.*.* to "jupiter.domain.local"

Now the problems begin:

I think the major problem is that I have not put the correct certificate for the "private edge" of the access proxy. I cannot really find any good information on doing this. We have a standalone CA which is actually running on the LCS server "jupiter.domain.local". I dont know what to put for the FQDN of our access proxy either for the internal edge because it is technically named "saturn" without a domain name because microsoft recommends that you do not add this computer as a registered computer on the domain.

Also, when run LCSDiag.exe on the Access Proxy to check TCP/TLS Connectivity to WMI configured servers. I get the following error when I choose the LCS server "jupiter.domain.local"

For the steps "Checking next hop server" and "Checking internal servers" this is the error message:
"Check connectivity FAIL"
Server: [jupiter.domain.local] on 192.168.*.*:5061, TLS
The certificate chain was issued by an authority that is not trusted
The cleint does not trust the root certificate. Please install the CA chain on the client machine

I have installed the chain (which is the chain that is being used by our internal clients) on the Access Proxy and the LCS Server into the Trusted Certificate Store already. Do I need to create a new Certificate for the Access PRoxy to use on the internal edge that is different from the certificate that I created originally for the clients to connect to the LCS server? If so is there any documentation on the specifics needed to do this?

Hopefully I have provided enough information about our setup. If you have additional questions about something that I forgot to address please feel free to post them here and I will reply. I really need help with this and any recommendations or steps I have missed are welcome!

Thank you in advance for your kindness.