I realize that I am late to the party, but here are my 2 cents.
An MBG (or some sort of Outbound SIP Proxy) should be used. If the SIP trunks are coming in over the internet then you would need an MBG in Server-gateway mode with one interface on the LAN and other on the internet. Or you could make a DMZ on your firewall and put it in there. The MBG would be in DMZ mode.
You can try port forwarding the appropriate ports to the 3300 for SIP and RTP, but you will have one-way audio problems. When a call is up, a phone will send it's voice packets directly to the endpoint that it's trying to communicate with. In your case, the other end point is the service provider. If there were some way for the 3300 to stay in the audio path then you could probably get away without an outbound proxy.
Some phone systems, like Asterisk, let you keep the phone system in the audio path. Keep in mind that doing so will result in more demand on the phone system. It would be a terrible idea of a deployment of 100s of phones.
I'm currently on a quest to find out if it's possible to bring in SIP trunks to a 3300 without an MBG, but no luck so far. I suppose it could work if all the extensions were analog.