Mentioned in the user list by Steven Robenalt there is a config option in Java7 to allow configuring the port used for the followup rmi connection in JMX. It simplifies things a lot to have both connections use 7199 since it could be reused for both.
There's a little-known change in the way JMX uses ports that was add to JDK7u4 which simplifies the use of JMX in a firewalled environment. The standard RMI registry port for JMX is controlled by the com.sun.management.jmxremote.port property. The change to Java 7 was to introduce the related com.sun.management.jmxremote.rmi.port property, Setting this second property means that JMX will use that second port, rather than a randomly assigned port, for making the actual connection. This solution works well in the AWS VPC environment that I'm running in, and I've heard of others using it successfully as well.