The DNS records required for Lync mobility can be a little confusing due to the fact that mobile clients will always connect to the external web services FQDN. In Lync 2010 the URL’s returned by the Lync Discover service for internal and external are the same external web services URL. In Lync 2013 the client is hard coded to look for a a single purpose built URL which is also the external web services URL.
Here is how I would recommend that DNS is configured:
The internal DNS records cause the most confusion, and are often the reason internally connected mobile devices fail to connect.
A record or CNAME pointing to the Front End pool.
This requires that devices have installed the internal CA certificate, or a public certificate has been used that is already trusted by the device.
A record pointing to the external web services IP address. Using this record internally is not the recommend configuration.
In Lync 2010 you can actually get away with not including lyncdiscoverinternal.sipdomain.com in internal DNS; instead you just create lyncdiscover.sipdomain.com (a record that would normally only be included in external DNS) and resolve it to the external web services IP address. By doing this you get around the need to install the internal CA certificate. In Lync 2013 all clients now use the Lync Discover service, so it is not advisable to use this workaround. The reason being that you don’t want all Lync clients on your internal network connecting to the external Lync Discover service.
Using this configuration requires that traffic can hairpin out the firewall and back in again, which is also a requirement of the next mentioned and required DNS record. One trick that can be applied to both these records, is rather than pointing them to the external ISA interface, you point them to the internal interface, and enable the “local host” interface on the web listener associated to the Lync external web services rule. This enables ISA to receive the inbound request and process it locally, applying the rule and sending it back via the internal interface.
External DNS is much more clear cut and doesn’t require a heck of a lot of explaining.
A record pointing to external the external web services IP address.
This will normally be the external ISA server interface.