I have observed that with a tightly locked down Border 3.7sp1 box with
absolutely no filter exceptions for VPN client access (TCP/UDP port
343 and protocol ID 57), VPN client access is not blocked. In fact, VPN
access works perfectly.

Since when are filters exceptions "optional?" How do I explain this
to my sophisticated end-users?

No filter exceptions can be found in FILTCFG, iManager or by looking
directly at the filter objects in c1.

Can anyone help me explain this to my customers? Does the fact that
there is an access rule for VPN client access cause a set of "implicit"
filter exceptions to occur? If so, has this always been the case with BM and
should I not add the exceptions if I do want VPN client access?