From the first look this appears to be an issue with security devices (like UDP ports are blocked etc) in the entire path from B-A-C.
As your communication from B to A and C to A works perfectly can you cross check if similar policies are defined for traffic from B to C. Although your traffic is physically travelling from B to A to C, a lot will depend upon source and destination address ranges.
Ringing on the phone is controlled via Phone to CCM. So site B and C successfully ringing each other sounds legitimate since really phone B is communicating via SCCP to the CCM at the main site and phone C is communicating via SCCP to the CCM at the main site. As soon as both parties pickup, CCM instructs the phones to open RTP media channels to each other, CCM never participates in the media stream on a 2 party call. This is why you get ring but no voice because you have tunnels from both sites to HQ but no tunnel from B to C (based on how I read your post). You need to allow tunnels between the two sites if you want voice to traverse.
Call forward works in the same way (which I think you are really referring to transfer) except the original call is B to A, then transfered to C, when the call is transfered and both parties pickup, then again CCM tells C & B to open media streams directly to each other on their IPs, again you have no tunnel that allows this.
Now in regards to conferencing. Conferencing is handled by a multipoint device, CCM has a native software conference bridge. So when you conference B & C in via the A phone, you are actually opening 3 streams to a device on HQ, phone A, B, C to CCM Conference bridge. This fits with your tunnel topology, thus this is why this works.
You can use a meet-me conference. Setup Meet-Me Numbers on the CCM. If user B & C need to talk without A, then one of the users presses the Meet-Me softkey and dials the Meet-Me number. The second user then dials the Meet-Me number direct. This will create an ad-hoc conference without a user having to conference people in other than the original Meet-Me intiation.
With that being said you should really look at creating tunnels between all of your sites. Not sure the reasoning but it seems more of an admin nightmare handling the voice restricted scenarios then maintaining a 2nd tunnel.
If you can't make the 2nd tunnel then you might want to look at using Route Patterns for 4 digit dialing to site B & C. These patterns would translate the 4 digit to the 10 digit(or whatever number plan you use) and route out the PSTN. This could also be done with CCM Locations and restrict the Bandwidth between Region B & C to 1kbps. That way a user can't make a phone call, even the ringing part. They will be presented with an Out of Bandwidth response on their phone. This response could be changed to say something else in CCM service configuration. This would be helpful if you didn't want PSTN dialing but wanted to restrict the B to C calling. Additionally you could then setup AAR so when B & C try to call each other it then automatically calls them out of your PSTN link for each site.
No problem, glad that worked for you. If you ever wanted to discuss setting up the 4 digit PSTN dialing or any of the other alternatives (CSS restrictions or AAR) then I'm sure will be happy to help you. Thanks for rating the posts.
These are the paths to get to each CCX logs through CLI. They may be helpful if you are having issues accessing RTMT or downloading logs through it.
If you want to download them you have to prefix "file get " and you can add one of the options (re...