We use Lync 2013 and Exchange 2010 in our environment. We do not publish autodiscover.contoso.com externally, as we do not want to allow users from configuring Outlook anywhere they like to use it. Now Lyncdiscover.contoso.com is published externally, as is the service record which point to the access edge. Now I am a bit confused, because when testing Lync on a desktop it prompted me for credentials to authenticate to Exchange Web Services. This desktop is not joined to the domain and sits in a private place which is connected to the internet. I am wondering how Lync discovers the Exchange Web Services as long as autodiscover.contoso.com or any of the other FQDN's which the Exchange Autodiscover process uses are published?
This desktop does not even have Outlook configured to connect to a domain mailbox, so it couldn't have used MAPI to discover those settings. autodiscover.contoso.com is published internally because we want our Internal Lync clients to be able to use the Exchange Web Services, in which they do not rely on Outlook to retrieve free/busy info.
Answers provided are coming from personal experience, and come with no warranty of success. I as everybody else do make mistakes.