The TP-Link is not a very good firewall… al least, in my experience. I suggest you to use the NS insteed, and with that, you could resolve that problem, and many others that may appear.
If you use NS as a gateway, with the proxy enabled, you will can block everything from the inside to the outside, leaving only the ports that you want. In your actual configuration, you must do it with the firewall of the TP-Link.
AFAIK, Ultrasurf is hard to block. I did a test some months ago and succeeded using openappid. I then stopped my tests due to lack of time. I still have a machine ready for testing and some notes.
if you see who’s using ultrasurf, you’d use a “social” tecnique to block them… just inform your users that all traffic is logged, that using ultrasurf is forbidden and that such a behaviour will be punished…
solution some time doesn’t come from technical skills
First: you need to use a way to block the ultrasurf file executable to reach the system.
Download links for ultrasurf, USB/CD access or other removable media disabled by default
add a program to watch for ultrasurf signature when a program is started (also add it to “disallowed programs” from windows)
Second: block at firewall level everything and then allow only what you want
Third: use a per user authentication on the PC/proxy so you will know who is using what.
Log the usage on each station (log the actions not the content, otherwise it will be illegal )
Put a very big warning and disclaimer at login with “This station is monitored, any and all actions are logged bla bla bla…” And at the end put the relevant phrase.
“Any deviation from the mentioned rules will be sanctioned (you name what will happen)”