I work with Paul; let me expound a bit on the problem. Perhaps we’'re simply having a misunderstanding.
As I understand what’'s happening, we have two basic choices for secure connections to Wildfire: “Old” or “Legacy” SSL, which connects on port 5223, and TLS, which makes an insecure connection on port 5222 and issues the “StartTLS” command to secure the connection.
If we wanted to support the “Legacy SSL” version, this is would be pretty easy: We’'d tell the Wildfire server to accept insecure connections, and then firewall 5222 off so that only the VPN could get to it.
The problems with this approach are 1) we don’‘t want to support a “Legacy” protocol that may go away someday and 2) we can’'t get GAIM to actually connect using SSL on 5223.
So, then, if we rule out using “Legacy SSL” on 5223, how do we restrict what clients can connect securely or insecurely on 5222? As far as I can tell, there’‘s no mechanism to allow that. The stunnel idea might work, though; if performance were an issue (and I doubt it would be since we’'re talking about maybe 4 clients using this mechanism) we could even run it on another machine.
But, yes, a neat feature would be an ability to say “Everything except this IP range must connect securely.”