Our internal domain is local. Our (main) SSL is com. IIS bindings resolve the difference.
The trial-and-error part was that we cannot use Windows binding anymore (and net.tcp is gone starting at 2022.1). But “Azure” authentication does work. (I know, it’s Entra ID now. Epicor docs still say Azure.)
OTOH, the SQL server is not publicly accessible, and I have the task agent there (with an EAC install), and it’s all .local (with a self-signed SSL cert).
You can use .local, but it does come with challenges. It depends partly on whether you want the servers available externally - only really required for mobile apps, whether you have an internal CA server on your domain or as a worst case you could use self signed certs which you publish to the clients.
The issue with .local is that Epicor now uses https for all traffic. As such the server needs a certificate which the clients will trust.
No Global Certificate authority will issue .local certs as they can’t. So if you want to refer to your epicor server internally as epicorserver.local, you must either use your own CA which can issue a cert to it, and tell the clients it is trusted. Or use a self-signed cert and manually install that on all clients.
Or if you have a wildcard Vanair.com cert which you can install on that server, you can do some DNS jiggery pokery to point epicorserver.vanair.com to 10.x.x.x or whatever your server is. And then play around with config files in Epicor to ensure the URL is correct in all locations.