I've finally figured out how to cleanly access hosts outside my company's firewall using OpenSSH.
OpenSSH has a way to specify an external program that performs the TCP/IP connection, instead of doing it directly. This allows you to specify an external program that connects to a Web proxy, and tells it to connect to the external machine you want to connect to, using the CONNECT method.
The following connect.c program does exactly this. Just compile the program on your machine, put the resulting binary in a convenient place (like /usr/local/bin), and add the following line at the top of your ~/.ssh/config file:
ProxyCommand /usr/local/bin/connect -H web-proxy:port %h %p
Each time you run ssh host, OpenSSH will spawn off connect and pass to it in the command line the host and port number you want to connect to. connect will take care of connecting using the supplied Web proxy information.
You may want to configure the ProxyCommand line to be on a host basis, instead of being globally applied to all the hosts you connect to, including those inside the firewall. Read the OpenSSH configuration manual to understand how to do this.