Setting Up TMG for Exchange Active Sync and Lync Server 2013

Dear Guru,

I'm trying to setup Lync 2013 in our server, currently now our server was running AD + EAS and TMG all in different VM, and now i add 1 more VM for Lync 2013 server.

the installation was fine, i manage to install it and make it run locally - I'm able to call meet.mydomain.com from other VMs.
the problem now is i can't publish the Lync over internet...

few questions:

1. is it mandatory to setup external url different with internal url? because i can't see the reason why need to put it differently...
2. is it possible to run both EAS and Lync through same public IP?
I have public IP 210.48.xx.xx and i put mail.mydomain.com as well as lync.mydomain.com to point to that public IP - so what i plan is: i'm expecting that TMG able to drive the request to the correct VM, for example if the request for EAS then drive to EAS VM, if the request for lync then drive to Lync VM...
3. related to my attempt to make question no 2 successful, i create 1 web server cert for both EAS and Lync, i just put all of the necessary url in "subject alternative name" as follow:

DNS Name=eas.mydomain.com
DNS Name=mail.mydomain.com
DNS Name=mydomain.com
DNS Name=autodiscover.mydomain.com
DNS Name=pop.mydomain.com
DNS Name=legacy.mydomain.com
DNS Name=sip.mydomain.com
DNS Name=lync.mydomain.com
DNS Name=elync.mydomain.com
DNS Name=dialin.mydomain.com
DNS Name=meet.mydomain.com
DNS Name=lyncadmin.mydomain.com
DNS Name=lyncdiscoverinternal.mydomain.com
DNS Name=lyncdiscover.mydomain.com

so there won't be any issue for cert (i assume, because the EAS still work after i change the cert)

the reason i create 1 cert for both is: because TMG not allowing more than 1 listener to listen at the same port and IP -  so i make the 1 listener to listen port 443 and use the general cert that i explain above... then i apply this listener to my EAS and Lync Rule...- is there any better approach of this? is change the default port (e.g. to 442?) of lync will solve this problem?

ok until here all looks good...
then i tried to test lync connectivity and the result is:
the cert was fine but, the http authentication failed...
and second things... when i tried to test rule in TMG, i got timeout (code: 10060) for all of the URLs - seems like tmg cannot contact the lync url (all URLs)

so, anyone have Idea? i'm quite stuck over here....
kindly please advise

Cheers,