JP,
I assume you are using a split-DNS configuration and that FQDN resolves to different IP addresses when connecting from an internal client versus an external client?
Your problem is due to the fact that the Communicator client doesn't know if it's internal or external, it is programmed to always attempt a connection to the internal server first. The idea is your internal FQDN should not be resolvable when outside your network, so that should fail when the client is outside your network, and then it would move on to the external server name. Because in your case the internal name does resolve (to the external IP) it will attempt a connection as if it were connecting to a Front-End server, over TLS, hence the 5061 port you see in the logs.
You need to use a different FQDN for your external Edge Access Server, like sip.domain.com.
Additionally, you can (and typically do) have the external name be resolvable from inside the network because the internal name will always resolve first and then attempt a connection, never moving on to the external name.