I have noticed something strange when it comes to the customers using Checkpoint Firewall. What we found out was that if we used the default rules in Checkpoint for traffic on Port 5061, well then it stripped out the SSL traffic and send the rest as normal traffic.
Why Checkpoint strip down the traffic I don’t know. To solve this we had to create normal TCP 5061 rules for this type of traffic.
There are other who had this issue http://social.technet.microsoft.com/Forums/lync/en-US/320f12d3-12b3-49ae-8823-bd51b96d62d8/lync-federation-with-checkpoint-firewall
For my customer we had involved Microsoft Premier Support, have been checking the Lync 2013 deployment up and down, checked the certificates, analysed network, server, clients and it all. The whole time it was the CheckPoint FW who stopped us and we could not see it J