I have a lab set up as follows

CUCM 12.5 to Cisco expressway C to Expressway E..

Expressway E has dual interface : lan 1 has an internal IP : 192.168.2.6. lan 2 has an internal IP 192.168.2.7. static nat is enabled on the lan 2 with a public IP 1.1 1.1. This public IP is the IP address of vps Ubuntu machine . There is a wire guard tunnel between  Mikrotik router 1 and  the vps.

Expressway C ,E and CUCM belong to Mikrotik router 2 which is connected to Mikrotik router 1 that is connected to the vps

Issues

1) MRA user can't login. I will get the sso page and login but phone service fails. I can login internally .  The diagnostics on the WebEx shows tffp server request fails, service profile fails . I have checked the tffp server and it is running 

2) when I connect to internal network and login.After I have disconnected the network and connect to the internet, WebEx phone service will show connected. If I sign out and try to sign ,I won't login

3) when I login externally after  I have logged in initially , I try to make a call, there will be no video and Audio

4,) When the internal endpoint calls MRA endpoint ,the call will fail but I change the expe IP to public IP in the traversal zone between c and e, the call will  go through 

I have equally opened some ports on the vps 

I will appreciate any contribution geared toward the resolution of this issue