I have installed an "Endian Firewall" as a seperate virtual machine ( http://www.endian.com/en/community/ ) which NATs two ports to the private IPs of the DSS machines on port 443
Then I disabled the NIC which was connected to the internet.
If the firewall virtual machine or even all XenServers should fail I can still re-enable the NIC to the internet using IPMI
So I do not have to rent a hardware firewall at the data center