Several different types of UCMA applications need to place calls to the PSTN via the Mediation Server: outbound dialers, click-to-call applications, auto-attendants, and so forth. At some point, you may deploy one of these applications to a new environment, having tested it extensively, only to be stopped in your tracks by an exception like the following when your application tries to place outbound PSTN calls: Microsoft.Rtc.Signaling.FailureResponseException:A 403 (Forbidden) response was received from the network and the operation failed. See the exception details for more information.
I've seen this happen a number of times, and usually what has happened is that the testing occurred in an environment with a very permissive global voice policy, allowing all users to place any type of PSTN call. Then the application is deployed in a production environment with more restrictions. The global voice policy no longer allows all users by default to place outbound PSTN calls. Since it's unlikely you assigned a voice policy to your trusted application endpoint when you first created it, the outbound calls from your application are getting blocked by Lync.
The solution is simple: assign a voice policy to your trusted application endpoint. You can do this using the Grant-CsVoicePolicy commandlet in Lync Management Shell; just use the SIP URI of your trusted application endpoint as the Identity parameter, like so:
[ps]Grant-CsVoicePolicy -Identity sip:firstname.lastname@example.org -PolicyName MyPolicy[/ps]
If you try running your application again after making this change, chances are that your 403 Forbidden troubles will be gone.
A variant of this issue occurs when the default dial plan is not appropriate for your trusted endpoint. The same concept works for dial plans: just use Grant-CsDialPlan rather than Grant-CsVoicePolicy.
By default, the Get-CsTrustedApplicationEndpoint commandlet doesn't show you the policies and dial plan assigned to your endpoint, but with a small tweak you can change that.