I work with a High School and some of the students are using Psiphon to get around our web filter. So I believe we were having a similar issue. We found that A third party managed firewall and web filter filled our needs better than closing so many ports that have important services running on them. We used iboss for our web filter and firewall and we were able to curtail the problem with Psiphon.
Psiphon can mount proxy HTTP/SOCKS via tunnels. All the traffic of this application will bypass the port TCP 80 by default. So you must to have a firewall capable to inspect your packets to see which packets are real HTTP packets and HTTP proxy packets.
To be Honest, with my experience using and testing Psiphon, As long as the user has any kind of internet, no matter the block (even if though), Psiphon seems to manage it's way in anyway. It's lightweight setup make you able to use on a flashdrive (so it doesn't need to be installed on the PC at all, just need to plug in thumbdrive) and versatility makes it very hard to block, even temporally. not to mention that if it even get a ping from any open sever, it automatically updates itself, makes a backup copy, and gets new sever list. The reason why it's like this is because, it's designed to allow you access even in a another country where blocks are really strict... Basically, you're trying to march though the jungle but, up against an army that specializes in guerrilla warfare...
Ok folks, so here it is. After fighting this monster for about 9 months, I finally figured out how to stop PSiphon from running on my computers. PSiphon is a standalone program, because it does not install itself to the computer, there are no hash's or certificates to manipulate. I finally google'd how to stop .exe files from running and low and behold there it was. You have to set up a GPO to prevent psiphon3.exe from running. You will create this rule under the user configuration\administrative templates\system\Don't run specified windows application. From here you can figure out the rest. Now I have tried to run it on the computer, from the website and from a drive stick and they all failed to run. Can't wait for morning to get here so I can implement this on the computers at work. Hope this helps.
I have managed to do this by blocking the file path of the temp exe it creates when connecting. This removes the ability to rename the original exe and it works again (or having duplicates in downloads, i.e. "Psiphon3 (1).exe").
c80f0f1006