"But on Linux systems, the only way you can get a server to successfully use port 80 is to run it as root."
Well, I have setup lots of web-servers, on none apache runs as root & they all listen to port 80.
But let's forget about that right now, it's a different discussion. We have an actual problem to solve.
(Adding, reading your latest post: Maybe you're right about the safest way to run Tomcat, can't say, can't debate - I haven't studied that one in detail.)

Let's get it clear:
1. Webserver runs a java application under tomcat, it listens on port 8080.
2. Your firewall has a NAT rule: WAN port 80 -> webserver port 8080.
3. Only from one customers office there is no access.
Make this very clear: You always use an URL like "http://www.myweb.com" that is, port is never specified.
Correct?
Then the problem simply has to be with that customers firewall or computer. Is it a laptop? Then take it outside the office and try again.

Juniper you say, they are very reliable. (Had it been a cheap 50$ thing I would have blamed it immediately.)
If you can't get any logs or actual config out, maybe you could ask the firewall/network admins what traffic is allowed?
Depending on what company it is and what staff they have, you might simply present them your problem.

But this is very puzzling!
Where did you open port 8080 - not on the firewall I presume?
If you really had to open 8080 on firewall then we have a misconfiguration that could cause erratic behaviour.

If you forward a port using the iptables REDIRECT target like this:...the traffic flow between the client and the server will be between a random TCP port on the client to port 80 on the server. The INPUT chain in the filter table will have to allow inbound packets to both port 80 and port 8080.

When you use the REDIRECT target, replies from port 8080 on the server are intercepted by the iptables NAT engine and the source port number is altered from 8080 to 80. Otherwise, the client wouldn't accept the packets; it believes it's communicating with port 80 on the server, not port 8080.

However, if you use a web server to issue a 301 or 302 HTTP redirect when the client accesses port 80, the client will start a new connection to port 8080. In that case, a firewall (on the client side) blocking port 8080 will prevent the client from reaching the site.

BTW, there are ways to run Tomcat on port 80 without giving it root privileges. One popular approach is to use authbind.

1 members found this post helpful.