RDS 2012 Published through TMG

Here's the test setup:

1. internal domain forest: espaxis.net
2. internal tree domain: tpmaxis.net
3. Hyper-V 2012 R2 Domain controller: dctpm.tpmaxis.net
4. Hyper-V 2012 R2 RDS Server: apptpm.tpmaxis.net  (RD Connection Broker, RD Web Access, RD Gateway)
5. RD Gateway Server:  apptpm.tpmaxis.net
6. RD Web Access URL: https://apptpm.tpmaxis.net/RdWeb 
7. TMG 2010 Server: gw.espaxis.net
8. Internal URL: https://apptpm.tpmaxis.net
9. External URL: https://app.somedomain.com  (DNS working fine)
10. CA Issued Certificate: app.somedomain.com
11. SS Certificate: apptpm.tpmaxis.net

Questions:

1. Does the  RDS Server (deployment not actual network name) need to be setup with server name: app.somedomain.com or apptpm.tpmaxis.net?
2. Do the RD Connection Broker, RD Web Access, RD Gateway Certificates all need to follow name above?
3. As I understand the process,  the RDS client sets up an SSL Tunnel through the TMG to the RD Gateway,  and so I should expect the remote app to be looking for the internal App Server name apptpm.tpmaxis.net and not app.somedomain.com?

I have gotten this all working internally,  and limited success from the internet.  From a remote site I can connect, login and get the app collection folder on the RdWeb,  but when I launch an app I get App Disconnected and a complaint that it cannot connect to the app server.   

S.