This is major security concern with authentication on the backend servers. Having TMG 2010 and Lync 2013, will the TMG 2010 still authenticate external lync users, including lync mobile who are trying to access the Exchange servers

I'm currently deploying lync mobile for external access. However, Lync needs to access Exchange and to do so I have to publish Exchange Web services and Autodiscover on TMG. So will TMG do the authentication for Exchange Web services (exchange 2010/2013)? So my concern is the risks on a security perspective that a user can connect to their Exchange server externally. Does this mean that Lync clients are connecting to Exchange, without any prior authentication? How can understand the mechanism here and the authentication process.

So any articles on this will be very he

Hi,

>>Does this mean that Lync clients are connecting to Exchange, without any prior authentication?

For publish Lync, please check the article below. In the article, it selects the delegation method No Delegation, but client may authenticate directly, Forefront TMG passes the user's credentials to the destination server without any additional action on the part of Forefront TMG. The client and the destination server then negotiate the authentication.

Configuring the reverse proxy for mobility in Lync Server 2013

For the authentification, the following articles could help you understand the authentificaion process.

About authentication for published resources

About delegation of credentials

Best Regards,

Joyce