I have followed this tutorial: http://technet.microsoft.com/en-us/library/fp161236(v=office.15).aspx The SharePoint 2013 server is behind a Forefront TMG 2010 firewall. I have configured a SharePoint site publishing rule to allow access to the main SharePoint site collection at https://sp13.mydomain.com using a wildcard certificate for *.mydomain.com. This is working properly. I also need to allow *.mydomainapps.com through the firewall. I have configured wildcard dns for *.mydomainapps.com and I also have a wildcard certificate for *.mydomainapps.com. I am not sure how to configure a site publishing rule to allow *.mydomainapps.com to go to port 443 on the internal SharePoint site from the external interface. Is there a best practices TechNet article describing Forefront TMG 2010 setup for a SharePoint 2013 server environment configured for Apps? Also, where do I install the wildcard certificate for *.mydomainapps.com on the SharePoint server? Do I need to assign bindings for an iis site?

I changed the default zone to contain https://sp13.mydomain.com, edited the local host file to point sp13.mydomain.com and <appname>.mydomainapps.com locally where <appname> is the full name of a particular app installed. I can open the app but I still get an ssl error. I have installed the wildcard cert for *.mydomainapps.com in IIS but I don't know which IIS site to bind it to. Is there some other setting I am missing for assigning the wild card cert *.mydomainapps.com?

Found the answer here: http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx "The solution then is to create a fourth web application. You can create it without a host header name and assign it a shared IP of 192.168.1.13. In DNS then your wildcard entry for *.contosoapps.com will point to 192.168.1.13. What ends up happening is that your apps web application listens on that IP address and the SharePoint http module that is responsible for routing will pick up the request for the application. It will then use the App Management service application to determine what web application is actually hosting that application and reroute the request to it. The request is then served from that web application, site collection, and SPWeb where the app itself lives, so all of the security and authentication settings for them will be correctly applied." I created a new web application (no site collection needed to be created for it) and put the bindings for the apps domain in the IIS site it created.