>Please, anyone chime in on this one: :-)
>
>I am working towards allowing my users to access their application via VPN. Is there an additional need to encrypt the data that will be stored. We are not considering storing any financial data (i.e. credit card information).

A VPN extends your corporate LAN to users at remote locations. Since it sets up an encrypted "tunnel" between the remote location and your LAN, it's a good way to secure communications. The tunnel prevents anyone from snooping your traffic.

The biggest question is how your app is architected. If it uses native VFP tables, and you're expecting remote users to run the EXE on their local machines you may run into performance problems. Most LANs these days are gigabit (1,000 Mbit/sec). However, many business broadband connections still top out at 1 MBit/sec uplink speed (i.e. speed from your LAN to the public Internet). Expecting remote VFP apps to pull VFP data through a typical small business VPN will likely be painfully or unusably slow.

Even if your app is client-server with, say, a SQL Server backend, you still would have to pay attention to the amount of data going through the wire.

In many cases a better option is remote control. This has the downside that each remote user requires a session on your LAN. In some cases a remote user has an office machine they can remote in to when they are not at the office. This scenario is a good fit for 3rd party mediated services such as GoToMyPC or LogMeIn, in which case you don't need to set up a VPN at all. Or, you can set up a VPN and let users connect to the office LAN via the VPN, then RDP in to their own office computers.

Other businesses choose to set up an RDS or Citrix server to provide multiple remote sessions in a single box. In that scenario the users connect via VPN, then RDP in to the RDS/Citrix server and use a session hosted there.

VPN and RDP clients are available for some non-standard platforms such as smartphones and tablets so you can extend the reach and convenience of remote access.

If you use a remote-control solution, your data never leave your LAN so if you're not encrypting yet there's not much additional incentive to do so.

There are several types of VPNs. Preferred these days is probably L2TP/IPSec. Most common and perhaps easiest to set up is PPTP, but that's now considered insecure. OpenVPN is another standard that has gained some traction.

One thing to seriously consider is the security of the remote endpoints. Many family PCs that are shared with children aged 8 or up are infested with malware. These often contain keyloggers that specifically look for user name/password combinations keyed in to banking websites, VPN access etc. Anyone connecting in any fashion to your LAN using an infected machine is opening up access to bad guys.