I assume the following is true:
I would be ill advised to tunnel (as in SSL) at the application level, but proxy in the DMZ
... because if you tunnel at the app level, as the packets leave the app to the DMZ where the proxy is, the proxy can not truly collect the packets into a message, and based upon the content of that message make decisions, like blocking IP's from going to certain destinations, or in the case of incoming messages, blocking IP's from coming in.
Therefore you either want to proxy and tunnel at the DMZ level, or proxy and tunnel at the app level, but not proxy at the DMZ, and tunnel at the app level
Is this correct?