The solution is to use a dynamic DNS address as the 'middleman'. The server behind the firewall is set to call out to the dynamic DNS address. (I use a cron job on the server to run a script based on that here
http://www.brandonhutchinson.com/ssh_tunnelling.htmlto do this.) The client updates the dynamic DNS address when you connect to the internet from the location from where you want to use the tunnel.
Possible problems are:
- traffic on the standard SSH port may not be allowed. Consider (ab)using the HTTPS port instead.
- if the internet connection is broken during a tunnelled session, you need to stop and restart the sshd daemon on the client, then wait for the server to connect again.