Lync

How to create a public certificate authority?

Good afternoon!
The following infrastructure exists:
- Primary domain controller windows server 2012 r2
- Domain controller windows server 2012 r2 + Certificate Authority published in the domain
- Lync Front End Server (IIS)
- Firewall with white IP address
- Client machines with domain users
Must be connected to Lync to the server of mobile clients that are not included in the domain (tablets, smartphones, etc.)
To accomplish the goal:
- I specify the Lync edge server in the topology and publish the topology, export the published topology to a file
- Deploy a non-domain Lync Edge Server and load the topology file locally. The server understands who it is in the specified topology, swallows the file, and the stage is successful.
- I reach the stage of specifying the certification authority ...
and then a stupor. The certification authority with which the lync front-end server works is located in the domain, so it is not possible to obtain a certificate.
exporting the certificate to a file in the certificate authority and importing it into the deployed edge lync server is not a beautiful solution, what to do with clients later? even if you issue a certificate to everyone manually - when a client connects, it will not be possible to check the certificate for some reason.
The solution is to publish a secondary CA and publish it on the Internet behind a firewall.
Questions:
How to create a public certificate authority based on win server 2012 r2
1. How is a certificate issued to non-domain users?
2. The secondary certification authority must be in the domain (not the root)
3. On what ports should the certification authority, 443, be attached to the firewall?
4. Does the Lync front end server need to be set to a public server so that everyone can work through it?
Thanks in advance for the replies.