My friend Mika Ullgren who runs a good blog on Lync and security at techmikal.com
have demonstrated PointSharps "Mobile Gateway for Lync" for me.
The reverse proxy (Mobile Gateway) will catch login attempts from clients and can do various functions with the request before passing in on to the internal front-end server(s). This allows the gateway to add functions such as application specific passwords, two factor authentication and device control. If the user is supposed to only use an iPhone to login to the system, the gateway will check this with an internal PointSharp server and deny the request if it is coming from another type of device. Each device is registered by the PointSharp system and tied to an authenticated user, creating a partnership that is validated continuously.
Also a specific password used only to login to Lync/Skype for business can be assigned to the user. This way the external user does not need to use the actual AD password or store it on a mobile device. Two factor authentication can be achieved by using a static application specific password and a code from some type of two factor token. Lockouts of AD accounts due to "password guessing" via the Edge server / reverse proxy can also be stopped by locking the application specific password after x erroneous attempts.
For more information on this solution - please check out PointSharps public information.
The GUI below is from the coming 4.4 version, and support for both Skype for
business as well as for Lync is coming to the product soon.
Stay safe out there!