Hi Mike:

>>Do you really want to expose your SQL Server through your firewall - especially on the default port?

No, not using the default port, but assigning a special port on firewall and configure SQL Server to listen on it. Is this not secure? Is this not good practice?

>>Did you change the default sa password?

No. I haven't thought about that.

>>What about letting the users access resource through a VPN?

If your using a VPN, do you even need a firewall? Does the VPN act as a firewall? If using a VPN requires people to be authenicated on network, is that secure enough making the firewall unecessary?

If we go web, is it possible they may shut off the HTTP and HTTPS ports? Can IIS be configured to listen on a custom port?

Thanx,
Charlie