In order to overcome the red X you will have to renew the cert (or host your own internal private PKI system).
[If you don’t need any interaction with the Internet, then you may not even need “real” domain names, nor a cert that is valid on the Internet.]
In order to renew the public cert you will have to have an internet routable IP for the name(s) on the cert.
Which means you will have to continue to renew the domain(s) in the cert(s) and authenticate via HTTP (or DNS).
As for using a reverse proxy, you could; At a minimum, you would need to allow the authentication requests to reach the internal server in order to issue the cert(s) right from the Exchange server.
It really depends on your exact scenario… and the choices you make.
Like: Which version of Windows, how much knowledge you have with all things related, and how much access you have to make required changes…
FYI - information like:
creates more questions than it answers.