I agree that being behind someone else's firewall is a problem as the user may not understand the implications of this and thus advertise an impossible exit policy.
Suggestion for the coders .. make the client test itself and adjust the exit policy on the fly.
