Maybe you will face a problem where Roadwarrior, Non-domain joined clients, cannot connect through an Lync Edge and some clients can without any error.
Clients that connect through the Edge will be rely entirely on NTLM because Kerberos is not available as an authentication method.
The Lync 2010 or Office Communicator R2 client will act as if the user entered an invalid username or password.
The error message on the client computer is very misleading and everyone external will not be able to log in.
Lync and OCS is very particular about the NTLMv2 settings.
These settings, for server and client, can be set in a group policy under Network security: Minimum session security for NTLM SSP based (including secure RPC), or by use of a registry setting.
Technet dump:
…
Sometimes the server will be configured to require encryption, and the client will not. In this case, the client NTLM request is not passed on by the front-end server. This situation primarily affects external users, because NTLM is the only authentication protocol that external clients can use to sign in. For example, if the server key is configured to have a value of 0x20080030, which specifies 128-bit encryption, and clients are not, clients will be unable to sign in. You should ensure that this key on the client is configured to match the server’s setting.
…
By default, anything older than Windows 7 and Server 2008 R2, these registry settings will be configured to not require 128-bit encryption and not require NTLMv2 session security.
Windows 7 and Server 2008 R2 require 128-bit encryption by default, only.
Solution:
In particular, if you have an unmanaged client environment outside of the office (a very common scenario), you might want to provide the following registry file as a way to help secure your environment and enable unmanaged clients to connect:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
“NtlmMinClientSec”=dword:20080000
“NtlmMinServerSec”=dword:20080000
Reg Key to import as a download.
Those registry settings above are equivalent to configuring the following group policy with these options, for client and server:
[…] Please check detailed article […]