IMO, Vitelity blew it on their description of the changes. IMO, it’s very unlikely that anyone was so paranoid that they filtered incoming RTP based on source port numbers. This would provide no extra security because an attacker that could pass all the other restrictions could choose a source port that wasn’t filtered.
I believe that the important aspect of the change is that they no longer do ‘symmetric RTP’, a.k.a. ‘connection oriented media’ on at least some calls, so a NAT that rewrites the source port number and lacks forwarding of RTP to the PBX (by default, UDP ports 10000-20000) will cause inbound audio to be lost.
The conservative fix is to both forward UDP with destination ports 10000-20000 to the PBX, and also ensure that the source port does not get rewritten when the PBX sends UDP with source ports 10000-20000.