To use REST from outside the firewall I’m told I’ll need an SSL Cert. Can someone confirm, this should be to the transaction server, not the database server (SQL)?
Correct; you’ll apply the certificate at the iis level and the api will be exposed through the application layer
A typical scenario would be a reverse web proxy to handle the outside the firewall traffic and securely handle the firewall pass through. Do your homework though as this isn’t something to guess on