Bruce -
yes…
BUT…
Actually, watching that youtube video was what prompted me to re-post this.
As people who work in technology, we know that often the devil is in the details.
The DNS trick you explain in that NetTalk webinar (and that I’ve seen you describe various times before) is an offshoot of what I showed.
But NOT the same and much less scalable.
Your version of “my” DNS solution involves tweaking an external DNS 4 or 5 times a year in order to get a free Let’s Encrypt cert. And either using port-forwarding or else loopback in the router.
Mine involves a commercial cert, no port-forwarding, no loopback. Those are significant differences.
Your variant is probably the best solution for some businesses. Even there, I’d personally go for the paid 1-year certificate rather than the Let’s Encrypt that expire in 90 days.
The guy you were helping in the most recent webinar has a hosted public web server that wouldn’t work for getting his Let’s Encrypt certs because he can’t run a Windows app.
Spinning up an AWS box for a half hour every 80 days just to acquire the Let’s Encrypt cert is awfully convoluted.
If his network hosts its own internal DNS, none of that is necessary and his existing hosted server will work just fine for purchasing a commercial cert.
Even without his own DNS he could still use his existing hosted domain to purchase a commercial cert and then do your trick with the public DNS and internal router loopback. But if his network is using Active Directory, it WILL have its own DNS.
The commercial cert solution I described in the clarionlive webinar is different from the one that you show.
I’m an administrator on the medium-size network where I contract. We have between 900 and 1000 employees in about 20 facilities. We have a variety of internal web servers - IIS, SSRS, Apache, and NetTalk. It is a medical environment that has regular security audits.
On our network we’ve configured dozens of split DNS domains to support servers that require a commercial cert.
For each server, it involves a one-time item setup in our internal DNS. Then doesn’t need to be touched again.
It requires no port-forwarding to be configured through our firewalls.
It requires no loopback in the firewalls.
Once a year we buy a wildcard certificate using a publically-registered domain name. I then install the cert on our servers.
I take no credit for this brilliant technique. Our IT director learned of it from a post on spiceworks (where the cool kids congregate) that links to this article: https://www.petenetlive.com/KB/Article/0000830
For our servers that are only accessed by domain-joined computers I’ve built an internal certificate authority (with offline root) that’s trusted in Active Directory. That’s convenient because those certs work with the actual server names and no DNS tweak is required.
Even much smaller networks with only a single site can benefit from this split DNS trick with a commercial cert if they’re running Active Directory.
Let’s Encrypt is a great tool.
Router loopback is a great tool if you’ve only got one router and one or two servers.
Not all pegs are round 
Cheers,
jf
