One thing we do with our customers if they don't want to open the port in their firewall is run the VNC listening viewer on our end. Then, whenever they have a support issue that requires a VNC session, we just tell them to right click on the server icon, select "Add New Client" and type in our hostname.

Works quite well and seems to satisfy the more paranoid net admins. Just make sure you have port 5500 open on your end if you want to do this.