Hello,
i know it's pretty old topic but i found soulution to this. Maybe one find it in future ;)
If you are using Internal CA, it's pretty simple to add FQDN to SAN certificate (ie. wsus.domain.com & wsus-server.domain.local). After that it works like a charm remotely and localy.
Only with external i didn't found solution, but won't spend much time on it.
PS: Windows 2012r2 with Windows 10 support in freshly installed WSUS
Cheers
Jan