Had this issue when first got UGW, figured could NAT to public so could use inside and outside. Gave phones 192 address space as well as Sig/Media then NAT'd Public, didn't work - always one way conversation. Used PIX/Checkpoint still did not work properly. End result put it in front of FW, however have ACL on L3 switch ports which restrict the only ports allowed to connect to it. For internal users had to go with 2nd card.
there is however an "outside the box" work around...on your router set up an ACL (sorry only familiar with Cisco on router/switches) denying bad ip addresses, (porno sits or any other destinations that are denied/restricted)
on the switch assign the IP phones (those IP addresses that are bad). Use sticky MAC one address then use shutdown if someone tries to set up computer to bypass company policies - make sure router/switch does not hand out DHCP)
example your UGW has 2 public IP's
1.2.3.4 Signal
5.6.7.8 Media
IP phones 100.100.100.1
100.100.100.2
and so forth (don't use those they are just examples they belong to Arin)
