Why do we need to list our CAS servers as SANs in Exchange 2010's UCC certificate?

ssl ssl-certificate exchange exchange-2010

It's by design. Autodiscovery is going on internally and externally, and it happens to default to the internal CAS Server name.

As you already figured out, you need to change all services to use the External URL as Interal URL as well, else your internal clients will receive certificate errors.

Related

Logging HAProxy connection limiting
Sending 10,000 emails?
Migration from Exchange 2003 to Google Apps
Running IIS and Apache on the same Windows Server
memory difference on top and htop
How to set up port forwarding for postgresql listening on localhost?
Elastix Upgrade fails CentOS yum missing dependency with libwat, libgsmat, and libss7
Centos 7 How to fully disable cron email generation
Why create a reverse DNS record for every device that connects to a wireless network?
Automatic failover for domain controller
Postifx - Dovecot unable to send emails "status=bounced (user unknown)"
How to make qmail to feed email into shell command?