Securing access into Exchange using a CEA policy - am I missing something?

Securing access into Exchange using a CEA policy - am I missing something?

Our on-premise installation of DC has been running well for a couple of months and we're investigating the use of Conditional Exchange Access (CEA) policies to restrict the devices that can connect to our on-premise Exchange 2010 SP3 server.

As per the documentation, we have created matching FQDN's for the public facing Secure Gateway Server and the internal interface on the Desktop Central server, so that clients can access the server whether they are on the LAN or on the Internet.  Let's say this FQDN is dc.company.com.

Prior to using Desktop Central's MDM functions, our firewall would port-forward incoming Exchange ActiveSync (EAS) requests from smartphone/mobile devices directly to the Exchange server.  Let's say this server was accessible on mail.company.com.  For security reasons, let's block that port-forwarding at the firewall.  Mobile clients no longer can sync email via EAS as port 443 is closed.

My question is this:  If an enrolled mobile device that communicates with the Secure Gateway successfully has an Exchange ActiveSync policy pushed to it, should the Exchange Server field still show as mail.company.com and if so, wouldn't the Port 443 have to remain open on the firewall to receive traffic from the mobile clients?  How is this more secure or am I missing something?

Also, the CEA policy simply allows or blocks mobile devices that are or aren't known to Exchange already.  But how does this protect our network if we have to leave port 443 wide open on the firewall?

Sorry for the length of this post, but hopefully others have wondered the same thing.  What am I missing?