I can access ucs portal and start container apps from intranet but not from internet

UCS-4.4.3
Everything works fine. No warnings or errors at systemdiagnose.
One problem: When I access the webinterface from the internet the Portal appears correct. I can start passworreset but when I start container-apps like owncloude, etherpad and dudle,
the response is “https://example.com/owncloud” Not Found
The requested URL was not found on this server.
Apache/2.4.25 (Univention) Server at example.com Port 443.

Is this for a missing certificate for the subdomains of the apps?

<

<VirtualHost :443>
ServerAdmin admin@example.com
ServerName example.com
DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
RedirectMatch ^/$ /univention/

<Directory /var/www/>
Options None +SymLinksIfOwnerMatch
AllowOverride Indexes FileInfo

IncludeOptional /etc/apache2/ucs-sites.conf.d/
.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

sounds like, you miss a port mapping/forwarding in your internet router
In my case, it looks something like thatScreenshot%20from%202019-12-15%2013-25-20

Thanks for the reply.
No, I opened allready relevant ports at the router.
It is a problem with different path settings.
From the LAN I use the intranet domain ucs-xxx.example.intranet: here it works fine.
From the internet I am setting paths using my own created example.com.conf in apache2. When I get the failure message from the server: server not found and I add manually the univention parth to the browser request like this: https//:example.com/univention/owncloud I am getting at least this reply:
" Webfrontend-Fehler: Die angegebene Anfrage ist nicht bekannt.

The path ‘/owncloud’ was not found.

Webfrontend-Fehler: Die angegebene Anfrage ist nicht bekannt.
The path ‘/owncloud’ was not found."

Thus I will check in the sys.log if I can find the right path processing to the localhost:4000x of the owncloud container and the other apps running in containers. Proberply I have to add a general SymLink to all the my.domain.conf files which is somewhere included in the original univention scripts set by installation processes. If so, and I guess, it would be very helpful to every relatively new server admin, if on installation dialogue one would be asked for the domain-names and related certificate request information which should be used for internet access. And because of generally suggested use of secure transport protocol the install-script should request during installation with online access with openssl the necessary certificates and should write them at the right place and should set the paths to the apache2 config files.
Even better for multi domain access or the use of subdomains for using to access special containers like owncloud, kopano, dudle, etherpad and my1.domain, my 2.domain my3.domain for typo3 CMSs, which can be installed in containers, this can be implemented in the installation or as an admin app to add more accesses to the ucs or later to memberservers or slaves.
I am looking forward if the community will get something as Christmas present.

This is sys.log from the two different requests. First from the intranet and second from Internet.
1st)

ec 15 13:42:01 ucs-xxxx check_nrpe: Remote 192.168.1.2 accepted a Version 3 Packet
Dec 15 13:42:01 ucs-xxxx cron[535]: (systemunivention-virtual-machine-manager-daemon) INSECURE MODE (group/other writable) (/etc/cron.d/univention-virtu$
Dec 15 13:42:51 ucs-xxxx simplesamlphp[5432]: 5 STAT [4ef4eb0f46] passive-saml20-idp-SSO https://ucs-xxxx.example.intranet/univention/saml/metadata ht$
Dec 15 13:42:51 ucs-xxxx python2.7: Loaded metadata from “/usr/share/univention-management-console/saml/idp/ucs-sso.innoconsens.intranet.xml”
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion issuer is https://ucs-sso.example.intranet/simplesamlphp/saml2/idp/metadata.php
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion audience https://ucs-4964.innoconsens.intranet/univention/saml/metadata
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion condition NotBefore = 1576413741 (2019-12-15T12:42:21Z)
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion condition NotOnOrAfter = 1576414071 (2019-12-15T12:47:51Z)
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion AuthnStatement AuthnInstant = 1576413049
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1576456249
Dec 15 13:42:51 ucs-xxxx python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1
Dec 15 13:40:51 ucs-xxxx python2.7: SAML assertion audience https://ucs-xxxx.example.intranet/univention/saml/metadata
Dec 15 13:40:51 ucs-xxxx python2.7: SAML assertion condition NotBefore = 1576413621 (2019-12-15T12:40:21Z)
Dec 15 13:40:51 ucs-xxxx python2.7: SAML assertion condition NotOnOrAfter = 1576413951 (2019-12-15T12:45:51Z)
Dec 15 13:40:51 ucs-xxxx python2.7: SAML assertion AuthnStatement AuthnInstant = 1576413049
Dec 15 13:40:51 ucs-xxxx python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1576456249
Dec 15 13:40:51 ucs-xxxx python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1
Dec 15 13:40:56 ucs-xxxx check_nrpe: Remote 192.168.1.2 accepted a Version 3 Packet
Dec 15 13:41:01 ucs-xxxx cron[535]: (systemunivention-virtual-machine-manager-daemon) INSECURE MODE (group/other writable) (/etc/cron.d/univention-virtu$
Dec 15 13:41:45 ucs-xxxx check_nrpe: Remote 192.168.1.2 accepted a Version 3 Packet
Dec 15 13:42:01 ucs-xxxx check_nrpe: Remote 192.168.1.2 accepted a Version 3 Packet
Dec 15 13:42:01 ucs-xxxx cron[535]: (systemunivention-virtual-machine-manager-daemon) INSECURE MODE (group/other writable) (/etc/cron.d/univention-virtu$
Dec 15 13:42:51 ucs-xxxx simplesamlphp[5432]: 5 STAT [4ef4eb0f46] passive-saml20-idp-SSO https://ucs-xxxx.example.intranet/univention/saml/metadata ht$
Dec 15 13:42:51 ucs-xxxx python2.7: Loaded metadata from “/usr/share/univention-management-console/saml/idp/ucs-sso.example.intranet.xml”
Dec 15 13:42:51 ucs-4964 python2.7: SAML assertion issuer is https://ucs-sso.example.intranet/simplesamlphp/saml2/idp/metadata.php
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion audience https://ucs-xxxx.example.intranet/univention/saml/metadata
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion condition NotBefore = 1576413741 (2019-12-15T12:42:21Z)
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion condition NotOnOrAfter = 1576414071 (2019-12-15T12:47:51Z)
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion AuthnStatement AuthnInstant = 1576413049
Dec 15 13:42:51 ucs-xxxx python2.7: SAML assertion AuthnStatement SessionNotOnOrAfter = 1576456249
Dec 15 13:42:51 ucs-xxxx python2.7: assertion contains urn:oid:0.9.2342.19200300.100.1.1; searching for urn:oid:0.9.2342.19200300.100.1.1
2nd)
Dec 15 13:42:59 ucs-xxxx check_nrpe: Remote 192.168.1.2 accepted a Version 3 Packet
Dec 15 13:43:01 ucs-xxxx cron[535]: (systemunivention-virtual-machine-manager-daemon) INSECURE MODE (group/other writable) (/etc/cron.d/univention-virtu$
Dec 15 13:43:02 ucs-xxxx slapd[1808]: <= mdb_equality_candidates: (ownCloudEnabled) not indexed
Dec 15 13:43:02 ucs-xxxx slapd[1808]: <= mdb_equality_candidates: (ownCloudEnabled) not indexed
Dec 15 13:43:02 ucs-xxxx slapd[1808]: <= mdb_equality_candidates: (ownCloudEnabled) not indexed
Dec 15 13:43:02 ucs-xxxx slapd[1808]: <= mdb_equality_candidates: (ownCloudEnabled) not indexed

Is it possible to get that done by adding records to the DNS forward zone example.domain ?
If this is a way, what do I have to add?
example.domain/owncloud = ucs-xxxx.example.intranet:4000x ???

Maybe this might hint you: How To Design Your UCS Domain To Use Public DNS Names

I used Scenario 4: Use public domain domain.com for internal purposes, too.

But I intend to find a safer solution with additional servers.

Mastodon