You think that's strict. Ours allows only port 80 and that through a transproxy that mangles
`advanced' features like HTTP/1.1 or pipelining. No 443, no 22, and ssh is `too insecure'
although unsecured telnet is fine if the connection initiator happens to be in management.
(Yes, I need to switch jobs.)