[jacquesm]

Yes, if it is public then I agree.

But if it is private you're going to have to unlock a port, let the service do its thing and then re-lock afterwards. If you forget the last step you are now more at risk than before.

Also, since the service does not advertise what IP it will be connecting from beforehand (presumably the host you complete that form on, but that's not a certainty, it's IP is 40.112.150.31, in an MS Azure block) you would open up access to the world in order to do this.

[sajagi]

Even if the IP address was guaranteed static then I wouldn't dare recommending admins to add an exception to firewall. That would certainly be a very bad practice. There are tools available (mentioned in the comments around) that do the same job and can be run in the DMZ (the question is, would anyone go through the source code and verify the tool does not contain any malicious code?).

[jacquesm]

Excellent, so how about the opposite: tell people on the website not to make an exception for your service.

[sajagi]

I am tempted to not interfere with the darwinian process ;) But seriously, we'll probably add some note like that.