After a while Connect cannot be contacted to from the external network for SMTP, Outlook or Web Client (HTTPS). What is really strange: if I VPN in to the local network, Web Client works perfectly from there.

If it's working on the VPN (and I assume then for systems on the LAN), then it's more likely related to DNS or something with Kerio Control.

To check if it's a DNS issue on the client, when the problem happens try to access the Kerio Connect webmail from the client browser using the IP address rather than the DNS name.

Have you tried restarting just the Control service instead of rebooting the whole machine? You have not ruled out an OS issue yet. You don't mention what OS it is installed on.

(Not saying it is not Connect causing the issue but this will confirm your belief)

Sorry my brain must have been elsewhere when I was typing as you do state all of that in your original post, it happens.

I'll bow out as my Linux skills are not anywhere near my windows experience.

To confirm, restarting Kerio Control fixes the issue, correct? Based on your first reply I understood that rebooting the Kerio Connect system temporarily resolved the issue.
Regardless, I would investigate two things:
- Default gateway on Kerio Connect system. Make sure there is only one default route. Feel free to include the output of the routing table on your Kerio Connect system.
- Maximum connection limit in Kerio Control. Make sure you are running Kerio Control 9 as there were some improvements to the connection limit feature. Make sure the connection limits are set to the default values as described in this KB article http://kb.kerio.com/product/kerio-control/security/configuri ng-connection-limits-1756.html

But how can it be repaired with rebooting Control, which should have no effect on Control or DNS?

Unfortunately it is not feasible as the whole site is behind a single IP and the reverse proxy should know the name from the request to dispatch it to the right server. The reverse proxy in Control sends the incoming requests to the IP addresses of the servers.

Agreed, unless the restart is forcing it to refresh something in the DNS? Can you confirm that users on the LAN always have access even when users on the outside network don't.

I'm not overly familiar with reverse proxy. My system uses a single IP and through Kerio Control I use NAT to reach the desired destination server. We already use port 443 for a webpage, so (after some good advice from Kerio) I setup a map to Kerio Connect using port 4043. To access the webmail we use https://xxx.xxx.xxx:4043/webmail

I think you are mixing Kerio Control and Kerio Connect. If I understand, restarting the entire server for Kerio Connect fixes the issue (not restarting Kerio Control). In this case, the issue is probably related to some type of local networking issue.
Possible networking issues that match the symptoms you describe:
- IPv6 is inadvertently being favored somehow (and doesn't work).
- Your networking equipment is forgetting the port associated with your Kerio Connect system due to inactivity and it only gets refreshed when you reboot (because the Kerio Connect system sends an ARP update).

Note that the reverse proxy only supports HTTP(S) so while remote access doesn't work, it would be interesting to know if it affects other protocols like SMTP or IMAP.