An alternative would be to do is to do something like:
ssh -L 3000:10.0.0.5:3000 -L 3001:10.0.0.5:3001 .... -L 4000:10.0.0.5:4000 12.0.0.10
This will set up a thousand and one seperate ssh tunnels for each port. I have never tried setting up over a thousand simultaneous ssh tunnels, so I have no idea what the performance is going to be like, or if it's even going to work at all, or if you're going to have to set up multiple parallell ssh processes.
It's going to be a pretty long command line, I would suggest writing some kind of script to actually invoke the command.
All in all I would not recommend this, if at all possible, set up a VPN.
Is there any reason your users can't just connect to 12.0.0.10 directly? Or are the ports not exposed through the firewall? If not, can't you just open up the ports in the firewall from selected IP addresses, or do you have security considerations that don't let you do this?
Nice post. What is aggressive or not is hard to say, generally - YOU should decide that. All three are fine, but have different approach, usability issues, price etc.
I work for company that passes VISA/Mastercard security certification (PCI) every year and everything depends on what you do and what risks you might have. There is no company without risk, it might be minimal/insignificant for you, but risks are always present. Maybe it's enough for you to have http proxy and you are not afraid of guys, who are able to use http tunnel or use http-based remote applications etc (like Skype, Teamviewer) and you don't have control over application control, don't have an 802.1x certificate based auth on ethernet level with machine which has dual disk encryption which needs a special usb key for every bootup, despite this usb key is taken from one of 20 10-inch thick steel safes opened by splitted two passwords changed 6 hours ago, known by two guys, delivered by two security specialists with two guards and four remotely controlled cameras and all that is underground, 300m depth. What is applicable/enough for you - again, you decide.
If your employees are security experts and bad guys, able to use several tools and hide from cameras - there is no way to control them by watching their traffic and packets - they still can hide and make tunnel wherever they want, you should consider other things too (I guess Palo Alto Enterprise Perimiter can do it, if you need it so much and you pay for that USD 1 mil).
All your proposals are OK - there is nothing wrong to use any it in enterprise.
I recommend to take a look at SIEM alerting products too (Solarwinds SIEM, Trustwave SIEM, IBM Q1 Labs Qradar). Maybe you would like to watch the situation, not limit it in very details etc.
Best Answer
This isn't what you asked for but it might be of interest. Lets you proxify applications that don't have their own native proxy settings. http://proxychains.sourceforge.net/