Whilst most of the firewall products nowadays do provide proxies or web interfaces for users (for instance WebVPN in Cisco products), I do find it is a terrible idea to open up services and use up resources from the firewall. Just look at the long list of the security advices from WebVPN in Cisco for instance. I do follow the policy of minimum services that i have as a baggage as a Unix admin, and webvpn/proxy/VPN services are all provided by external servers. For instance, pfSense is quite nifty for that, or squid+dansguardian. Why not provide access or provide unrestrictive access in a wifi network for BYOD? They can as well pierce your firewall with personal VPN services, they are very cheap nowadays. As for the corporate network, many people do not understand how a culture of unrestricted access to social networks and allowing adverts is a covert channel to infect personal computers. Also if you want to invest in security and money is not a problem, have a look at the Capsule concept from Checkpoint.