to elaborate: you could allow the specific ports used by the Stratus servers, which would allow you to open NetConnections to Stratus. however, you (and we) have no control over the ports used by the other peers with which you would want to communicate, so your restrictive firewall still wouldn't allow those direct P2P connections. since getting peers talking is the only thing Stratus does, your connection to Stratus would not be useful.
if you have a very sophisticated stateful firewall, it might be possible to configure it to allow "outbound UDP to all ports >1023" for a specific internal address if the first packet it sends is to UDP port 1935 and it gets a response back. unfortunately, a rule like that wouldn't support IP address mobility for the internal host (example: moving from wireless to wired or wireless access point reboots or something), but it might be better than nothing.
another possibility would be to deploy a TURN* proxy server and configure it into the mms.cfg config file of every computer inside your firewall. *Flash Player uses IETF BEHAVE TURN draft 8, *not* the final RFC version of TURN.
realistically, if you (or your IT department) are concerned about allowing random UDP traffic, then you are probably also concerned about P2P, and *especially* thoroughly encrypted P2P.