Right but in order for this to work, you’d need to have web server running on each machines and configured on every single port to, so that making the attempt through the firewall on port X actually aligns with an app listening on it and this is if they are not “translating ports” (i.e. they open port “50000” on external firewall but when you connect to host:50000 that sends your traffic to MachineName:40000)… If they are translating them you can sniff an open port but you’d not know which in reality it is. I would imagine some lightweight standalone web server software can work but still - installing additional software just to test and besides “internet-facing” is not necessarily on default ports only - you’d need to be attempting 64k times to scan each available port for each machine…
I’d honestly tell them “Can’t be done cause it’s effort prohibitive”, and send them to Security team - they are the ones who configure the ports to be open on the perimeter firewall devices, so let them jump on every such and dump the open ports - once they produce a report of all open ports and to what IP address that/those port(s) are open then you can work with that to match the IP addresses to endpoints!