NTLM advice please

I discovered HP TRIM client/server traffic uses RCF (Remote Call Framework) over TCP port 1137 for TRIM client traffic, this is encapsulated within NTLM or Kerberos which provides both the authentication mechanism as well as some level of encryption. There are no alternative authentication options available.

HP recommends deploying a "Workgroup Server" on each site and then have a central database. That's not ideal in this situation as we were hoping to offer the service from entirely within our own infrastructure.

Another viable option would be to ask that the clients firstly establish a VPN connection, but then we would still have to overcome the issue of mapping user credentials which goes away if we have them host the TRIM Workgroup Server on their own domain. I guess we could trust the VPN allocated IP address at that stage and attempt to offload NTLM or something, though I'm not sure it's worth the effort. We'll probably present them with the options of setting up cross domain trust vs. hosting their own TRIM Workgroup Server.