I've followed the instructions in the following link to create my own RMI registry and jmx server on a single port inside tomcat. According to the comments, I need to set -Djava.rmi.server.hostname=localhost. Once I do that, I can indeed connect to my server via jconsole using ssh port forwarding.
http://blogs.sun.com/jmxetc/entry/connecting_through_firewall_using_jmx
However, I've found it has the very bad side affect of breaking our ehcache replication which uses RMI. It fails complaining that it cannot bootstrap from remote peer localhost. I'm guessing because the peers all have their rmi server hostname set to localhost from setting -Djava.rmi.server.hostname=localhost.
Does anyone have a possible workaround to this problem?