Right. Next time, you try telling your customer's IT guy that his network firewall is faulty. See if that will get you anywhere.
Oh well. At least this gave me the chance to look into enabling our web server to allow SSH proxying. Found a useful article here: Tunneling SSH over HTTP(S).
This is essentially what you need to add to your httpd.conf on the Appache server:
# HTTP Proxy for SSH
AllowCONNECT 22
ProxyVia On
<ProxyMatch (192.168.1.1)> # Internal IP of your SSH server
Order deny,allow
Deny from all
### External (customer) sites allowed to connect
Allow from 199.243.1.61
Allow from 74.100.102.21
</ProxyMatch>
Then, to connect from the remote site, configure your PuTTY Connection host name to 192.168.1.1 (the internal IP address of your SSH server), set Connection>>Proxy setting to use HTTP proxy, enter in the public hostname and port of your Apache server.
That's it. Painless.
A slight diversion from real work, but this will come in handy the next time I'm at a customer site that blocks out all ports except port 80. I need my network to follow me everywhere I go. I'm effectively crippled without it.
Unless...I wonder, what would happen if the customer's network itself uses a proxy server to get out to the Internet...
Oh well. Not my problem to worry about right now. Will deal with it when I run into it.