I regularly get calls from customers who have set an extranet cluster URL for their RMS infrastructure, however seem to be unable to connect to that URL when opening content externally.
It is important to note that the CLC file located in a users C:\Documents and Settings\profile\Local Settings\Application Data\Microsoft\DRM directory, is the publishing certificate for all content published by that user. What is extremely important about this certificate is that it contains the Intranet and Extranet URLs for your RMS infrastructure. These are the URLs that get stamped into your content, so that the *consuming* user knows where the licensing server is, that they need to go ask for a license for this piece of content.
If a user obtained this file 'prior' to the administrator setting up an extranet URL, guess what? The CLC they have will only have the *Intra*net URL in it. This means that the content they publish will only have one URL in it. The way that RMS works is that it will try to obtain a use license from the Intranet location first, and if that fails it will roll-over to the extranet location to obtain it.
In order to remedy this problem you will need to either rename or delete the DRM folder so the publishing user is forced to re-bootstrap from scratch, or you need to delete the CLC file from the DRM folder to force the user to go get a new one. This can be done with a logon script, or whatever your company uses to push out file system changes.
So how do you know if a piece of content has been created using only the intranet URL. Simple, open the piece of content using good ol' notepad, and do a CTRL+F search for http. This should immediately take you to the location for your intranet URL. Keep hitting find to find the next, and see if it contains the extranet URL. If it doesn't. The user who created the piece of content, needs to go get a new certificate (assuming you don't want to wait an entire year for the existing cert to expire).
Other than that, make sure that your extranet users can access http://rms.yourdomain.com/_wmcs/Certification/Certification.asmx, and http://rms.yourdomain.com/_wmcs/Licensing/License.asmx from their browsers successfully.
Can AD RMS work from Outside corporate using Workgroup machines. ?