Lync MX -Externally not working

We are having an issue with Lync MX externally.

Lync MX Internally(domain joined) is working fine so is Mobility (external Only-internal not required), Lync 2010/2013 clients are working fine internally and externally.

It is a small deployment 2x FE and 1 x Edge.

When we try logging on from Lync MX externally we get the spinning that never ends. By enabling logging we get :

Direction: outgoing;source="local"Peer: edge.pool.Mydomain.com:57398Message-Type: responseStart-Line:SIP/2.0 401 Unauthorized

Looking further into the logs like the external access edge send the SIP/2.0 401 Unauthorized

We are using public certificates on the FE. And Certificate Revocation List (CRL) Distribution Point (CDP) for the certificates issued to Lync server points to an HTTP resource instead of an LDAP resource as per :

http://technet.microsoft.com/en-us/library/jj823129.aspx

All servers are on CU7.

Please let me know of any suggestions you may have in further troubleshooting this issue. I believed I have covered all troubleshooting steps available, but might of missed some.

Thanks a lot in advance.

$$begin_record

Trace-Correlation-Id: 4102754091

Instance-Id: 0037822A

Direction: outgoing;source="local"

Peer:edgeFQDN.MyDomain.com:57398

Message-Type: response

Start-Line: SIP/2.0 401 Unauthorized

From: <sip:user@domain.com>;tag=b30bd1e0cf;epid=9a2fefef5c

To: <sip: user@domain.com >;tag=C1DDC329DEAF0304014EBB25D437EA2B

CSeq: 1 REGISTER

Call-ID: 11172a5257a14d85a0c7fd2adf6ed9cd

Date: Tue, 18 Dec 2012 11:52:55 GMT(This timezone is a bit confusing, client and server are in EST -5)

WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="MyFrontEnd.domain.local", version=4

WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="MyFrontEnd.domain.local", version=4, sts-uri="https://ExternalWebServicesFQDN:443/CertProv/CertProvisioningService.svc"

Via: SIP/2.0/TLS192.x.x.x (internal Edge IP):57398;branch=z9hG4bK3B762A20.E711664720C9EC67;branched=FALSE;ms-received-port=57398;ms-received-cid=608E00

Via: SIP/2.0/TLS10.x.x.x (Lync MX Client):59982;received=63.131.143.173;ms-received-port=3061;ms-received-cid=866600

Server: RTC/4.0

Content-Length: 0

Message-Body: –

$$end_record