This is sort of a stab in the dark, but I'm wondering if WSAM is getting confused because you have the entire internal network as WSAM allowed servers. I'd recommend you try two scenarios -
(1) Have no WSAM allowed servers and let the application definition suffice
(2) Have only the name of the server(s) to which Activesync communicates in the WSAM allowed server list.
I'm wondering whether WSAM has a problem with the fact that the (internal) DNS server used when you are connected to the local network is within its allowed server list, and finds it can't resolve the name of the external interface of the SA. Maybe there is something else going on, but it would seem to me that having the application name defined to WSAM and leaving the allowed server list empty would be sufficient.
I've be testing 6.2r1. This is a very buggy release. I'd suggest testing with 6.1 first. Note that doing an XML dump is broken, so don't depend on this to downgrade. Also note if you do a rollback you loose any configs you made in 6.2 (learned all this the hard way).
JTAC said the 6.2r2 (or 3 or whatever) was coming soon, so if you can hold on, your results may improve.