Thanks again for everyone's help.  I *think* I'm getting there, but alas, I
am not there yet.

I've got full logging on all over the place.  Through this, I think I've
been able to determine that:

bpcd is seeing the server-initiated backup request as coming from the
firewall.  When it checks its list of servers, it didn't find a match, so it
said "this isn't a server.  Abort."

So, on a whim, I made a hosts file entry for the firewall, named "FIREWALL",
go figure.  I put FIREWALL in the list of servers for that client, but did
not make it "Current".  This seemed to get me a little further.  Here's the
bpcd log on the client as of now (with IP address censored):

16:10:17.662 [1420.1656] <2> bpcd peer_hostname: Connection from host
FIREWALL (xxx.xxx.xxx.xxx) port 876
16:10:17.662 [1420.1656] <2> bpcd valid_server: comparing nawrcs-bbbkup02
and FIREWALL
16:10:17.662 [1420.1656] <2> bpcd valid_server: comparing
nawrcs-bbbkup02.na.corp.storaenso.com and FIREWALL
16:10:17.662 [1420.1656] <2> bpcd valid_server: comparing FIREWALL and
FIREWALL
16:10:17.662 [1420.1656] <4> bpcd valid_server: hostname comparison
succeeded
16:10:17.662 [1420.1656] <2> bpcd main: output socket port number = 13782
16:12:08.100 [1420.1656] <16> get_vnetd_socket: vnet_end_connect_back
failed: 10
16:12:08.100 [1420.1656] <16> bpcd main: get_vnetd_socket failed: 25

Current Environment: From the internal LAN to the DMZ, we've got all ports
open.  From the DMZ to the LAN, we now have bpcd, bprd, and vnetd ports
open.