You were told wrong. I have ten's of thousands of users using softphone + Cisco VPN. Your issue is the UDP ports on page 1 of your network region form aren't open on your firewall.

Let me get this straight, someone told you that VPN is one-way? Hope that was not your network engineer.
I agree with “Phoneguy55”, this sounds like a port issue.

I've also run into the issue where traffic between endpoints can't route appropriately, rather than port configuration/allowance. Make sure that from the soft phone PC they can ping whatever other endpoint is involved in the call (DSP Resource, phone, gateway where PRIs land, etc.).

I ran into an issue with one-way audio between softphone endpoints and got around it by turning off IP shuffling. That could be something else you may see.

Typically, VPN tunnels by default do not allow packets to flow directly to another VPN tunnel. That will cause loss of audio if direct media is enabled.

This will likely come down to having to understand your firewall rules (work with your network engineers, not against them... even if they can't do the same) and understanding the ip-network-region configurations in your system.

Obviously, connection to PROCR or a CLAN (unpreferred) is needed for h323 registration. After that you need to understand where the RTP packets are flowing. Hopefully all your VPN endpoints are 'captured' by an IPNR meant for these people. Once you have them all grouped you can give them all rules such as no direct media, or direct media only to certain offices etc.

Also, troubleshooting the -now-... get a 1 way call up, do a "status station" and look at the media path. Screen shot that then work with your firewall people to establish that the path is valid for RTP packets. A list trace will also provide similiar data, but the status station during an active call will be a little easier to read.

Also, you MUST get rid of the h225 and h323 ALGs/layer 4 firewalls. They will cause problems almost always.