This was working a day ago.  What broke it is when I tried to change the OA hostname for our Exchange 2007 setup.  Our users were used to going to webmail.domain.com for all Exchange virtual directories and OA.  When I stood up the Exchange 2013 environment, I named all the virtual directories and OA mail.domain.com.  I wanted to push all webmail.domain.com traffic to Exchange 2013, and I did so externally a month ago.  No problems.  Everything worked with a simple CNAME to mail.domain.com.

The problem started when I wanted to do the same thing internally.  I renamed all the Exchange 2007 virtual directories and OA to legacywebmail.domain.com.  I created an A/PTR record in DNS pointing to NLB that used to host webmail.domain.com, changed the NLB name, deleted the A/PTR for webmail.domain.com, and then CNAMED webmail.domain.com to mail.domain.com.

External OA broke.  Everything else worked (EAS/EWS).  I tried backing out of the changes, and OA is still broken.  It looks like it breaks when Exchange 2013 is proxying to Exchange 2007.  I get a "RPC Proxy Can't Be Pinged - An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN)." error message.  The traffic comes in through my TMG, hits 2013, and stops dead there.  

The thing is that this WAS working prior to the changes, it broke when the changes were made, and now that the changes were reverted, it's still broken.  EWS and EAS continue to function without issue. If I force clients through legacywebmail.domain.com, they work.