Lync Server 2010 Mobility supports an internal and an external automatic discovery record. The mobile client signs-in as follows:-
- DNS query for lyncdiscoverinternal.
- DNS query for lyncdiscover.
Got this great flow diagram from Brendan Carius…cheers 😉
Usually the Lync Web Services certificate assigned to the Front-end Pool is issued by an internal CA. Of course this Root CA isn’t present on Mobile devices and so not trusted. The Lync mobile client would not be able to sign-in, unless the internal root certificate was pre-installed on the device.
Its a little more tricky to deploy the Root CA to all your mobile devices so it makes more sense to NOT have a Lyncdiscoverinternal DNS record. Instead have a lyncdiscover A record (internally) pointing to the public IP of your RP.
You will need a RP rule to allow this traffic from internal – effectively hairpinning the traffic.
Even after configuring this I still got “Can’t verify certificate from the server. Please contact your support team”.
Smarter Together 
2 Options here
1. either install the Root CA on the device (defeats the point as it works as the internal anyway)
2. the only way I could get around the cert issue was to create a new listner and assign it only 80. This did require an additional IP on the TMG internal.
Another Error I got was “The server is either busy or did not respond, please try again later”
Running traces on my iPhone showed that the lync discover URL was translated to the External web services URL which wasn’t valid in the DNS of my internal connection. Once I added a CNAME to match we were sorted