The scenario should work fine with AD and NTLM authentication, that would just hit jabber video.
Depending on how secure the registrations need to be and if you have internal ip ranges which are
matching your endpoints you can put them in a local subzone bypassing the authentication.
There are some deployment guides around that. Check out the documentation.
You can have your external jabber clients to be registered to the VCS-E or use proxy registration (what I would prefer) or
have it proxy registered to the VCS-C.
As there are some deployment combinations and solutions and workarounds
I would check with a local consultant who can look into your deployment and see whats the best for you.
Please remember to rate helpful responses and identify helpful or correct answers.