All, the solution for us turned out to be static routing open our core router and firewall policies on our corporate firewall. As for the MX67 and the Z3 devices, the solutions are as follows:   (Placed behind our NAT'd Fortigate) MX67: Assign corporate LAN static IP, Set as Passthrough Mode or VPN Concentrator and Client Tracking set to IP, S2SVPN set as Hub and added Local Networks (In my case there were 8 local subnets that I wanted my remote clients to see over VPN) to advertise over VPN to Z3s, NAT set to Automatic.   (Placed behind home office internet router (Google Fiber in my case)) Z3: Let the device grab an IP address on the router via DHCP, no need to set a static IP here, Set as Routed Mode and Client Tracking to IP, S2SVPN set as Spoke and selected my MX as the Hub and checked box for Default route (I want all traffic going through my network), Set NAT to automatic.   Corporate Firewall/Router Setup static routing for my Z3 subnets (total 10, 5 for LAN and 5 for VOIP) to point to the internal static IP address of my MX67. The MX67 handles all routing automatically after that, so no need to add static routes here or on my Z3s.   Setup two firewall policies: 1. Policy for VOIP, basically letting my Z3 Jabber and IP Phone enabled devices contact our call manager servers using VOIP protocols.     ANY ANY Z3 GROUPS ALL ALWAYS VOIP ACCEPT NO-NAT 2. Policy for access to corporate LAN, basically giving the Z3 subnets access to my corporate subnets.     ANY LAN Z3 GROUPS ALL ALWAYS ALL ACCEPT NAT   Testing: I can receive calls on my Z3 clients using Jabber and my Cisco IP Phone. Calls in and out are clear, no drops or static. Calls between Jabber clients remotely and locally are good. Calls between Cisco IP phones locally and remotely are good.   I hope this helps anyone out there deciding to setup an MX/Z3 Telework network behind a Fortigate/Cisco network.   ... View more