On both the external and the internal DNS setup 'lyncdiscover.<sipdomain>' needs to point to the Reverse Proxy for correct authentication of WebAgent. The WebAgent acts like the older mobile client and therefore it needs to be able to request the token via the reverse proxy. The reverse proxy then changes the port number to 4443 or 8080 and send the request forward to the Front End server. The Front End servers has two webservices, one for internal access and one for external access. Ports 8080 and 4443 are for external access. If this type of traffic is allowed, then the WebAgent can sign in without issues.
For more reference information and steps from Microsoft, Learn More - Microsoft, but remember to add lyncdiscover.<sipdomain> to your internal DNS zone instead of lyndiscoverinternal.<sipdomain> and point it to your external webservice IP. (it will treat WebAgent sign-in an connection, just like a mobile lync Microsoft Lync (formerly Microsoft Office Communicator) is an instant messaging program designed for business use and is the successor of Windows Messenger. In order to use Lync, a Microsoft Lync Server is required./SfB client did/does, as if they are always logging on and connected from the internet. The thought behind this setup, for mobile, was that if an employee was connected on a call from within the office on their mobile client and they walked outside the office they would have a seamless experience and no dropping calls, because they are already connected from the external internet. So it just works, and that same philosophy has been applied to webagent sign-in)
See the Schematic view below: