Downstream clusters behind firewall

Hi,

trying to verify some information about network connectivity between rancher-ui and downstream clusters:

According to Rancher Docs: Port Requirements it is possible to have downsteram-clusters / edge devices behind a (closed) firewall and still be used by the rancher-ui?
Because the rancher-agent works much like a reverse tunnel?

Assuming that is correct - can i just add an edge-device locally, ship it somewhere by mail and it will appear as online as soon as it is plugged in?

regards,
strowi