A few questions
What are ports 1720-1728UDP used for?
What are ports 52644-52645 used for?
What is port 5222 used for?
What is port 5060 TCP used for?
Is the public IP static or dynamic?
If static, is that IP installed in the use NAT IP field in network in the HT? If not, then add.
If dynamic, does you have a DDNS whereby you have a FQDN and is that set in the NAT IP field? If not, consider getting one.
keep-alives cause the HT to send a data packet out at a given interval (you set the interval) and these cause a couple of things:
If your public IP is dynamic you provider may try and recover the IP for use elsewhere if they detect that the IP is not passing data over a certain period. In essence there will be no active sessions, no activity, no use and no need for you to keep when others may have a need. By sending keep-alives, it causes the provider to be less likely to try and retrieve the IP. This is why I am asking about static or dynamic public IP.
Many folks do not forward ports and may not be able to as they may not have control of the router. Keepalives send a packet which in-turn causes the router (most anyway) to open the ports to let the packet out and then keep it open for a period in anticipation of a response. The amount or time left open depends on the protocol being used and the manufacturer of the router. If forwarding is not in place and keepalives not enabled, then when you make a call, the ports will open and all seems well, but once you stop calling… the router will close them and any inbound calls will never be seen.
Unless I am mistaken and you are indeed using TCP, you should only need port 5060UDP and then the ports that are set for the local RTP and this should also be UDP. The default local RTP port is 5004, but perhaps you changed it.
There are only 3 data streams that the device really needs to be concerned about:
SIP - port 5060UDP for the SIP messaging that does the setup and breakdown of the call.
RTP- port 5004UDP which is the stream for audio
HTTP/HTTPS -port 80TCP or 443TCP if you want to access the web gui of the HT remotely. However, be advised that a remap of ports may be needed if these ports are already in use and that exposing the web interface does pose a risk as people will find it and attempt to hack into it.
You do not need a proxy to stop SIP scanners. You can use the other embedded security functions to accomplish the same, which you have, but if working there is no need to change either.
All of the above is simply to set the HT up for success, but may not solve the issue. I don’t recall ever having someone complain about an intermittent issue where one could faintly hear it, but at other times OK and then not. Usually, the issue is no audio or all calls too loud or too soft.
So, the first plan is to ensure the HT is set correctly and then see, and if still an issue, swap the the handset or whatever else is on port 1 and see if the issue stays or moves.
Finally, you could swap ports 1 with another and see if the issue stays with port 1.