On FE you can change IIS Web sites bindings to IPv4 IP address instead of all unassigned.
Ensure that there are no deep packet application inspection or antivirus scan on the Firewall in between these servers.
Verify if you have session timeout in your firewall. In case of Palo Alto firewall you needs to set timeout to 4800 seconds, because PA will consider WebConf MTLS as ssl and due to offloading of ssl traffic only every 16th packet will be counted for session time to live. Refer to https://live.paloaltonetworks.com/docs/DOC-3950.
WebConf will send keepalives every 300 seconds (5 minutes), 16x300 will be you a timeout setiing required for Palo Alto.
Log Name: Lync Server
Source: LS Data MCU
Date: 12/16/2013 5:20:16 PM
Event ID: 41026
Task Category: (1018)
No connectivity with any of Web Conferencing Edge Servers. External Lync clients cannot use Web Conferencing modality.
Cause: Service may be unavailable or Network connectivity may have been compromised.
Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.