Ok, forget all of that vpn mumbo jumbo,
Does your entity have an external fqdn (
www.microsoft.com would be a fqdn)?
I assume since you were looking at the certificate part, you are internested in secure communication between users and your server (https:)
So, you need to configure your router to forward tcp port 443 to the ip address of the machine that will be running OWA.
Then you need to fill out a certificate request, through the security tab of your website, and submit it to a trusted root CA (like verisign, or thwarte)
Then return to the security tab of your website, and install the certificate.
Then you will be able to type
https://yourcompany.com/exchange
Hope that helps...
bbt