[RayPesek]

Yes, we use a proxy.

Yes, we restrict the ports.

We restrict only on the firewall and drop them.

I've probably go about five exceptions, for dumb things like WebTrends and a cellular company who insists on running their text messaging system (send SMS via a browser) on a non-standard port. Where possible, I create a second rule with the proxy as source, all of the the non-standard ports as the services, and restrict the destinations.

I try to stick to the standards rigorously. Security through obscurity does not work and people who run web servers on non-standard ports are usually small companies. If they think that is making the secure, we don't want to do business with them.

HTH,

Ray