Configuration: NSBS 6.0.3, NW Webaccess, and GW 6.0.3 on a single
server,
and have everything working fine on my internal network. Local
workstations
access the Internet currently by connecting directly through the
router (we
don't limit outgoing Internet access, but may in the future, once
BorderManager is installed), and the NW servers can also access the
Internet
using a default route to the router.

I'm now preparing to add a BM3.7 server to secure NW WebAccess and GWWebAccess (using my second server license in NSBS6).

We're connected to the Internet via a wireless connection to our ISP,
based
on "scenario #2" shown in Craig Johnson's "A Beginner's Guide to
BorderManager 3.X" book. (I recommend this book to neophytes like
myself -
definitely worth the cost!) The router performs NAT, has a DMZ
function (all
ports to a particular IP address) and individual port forwarding
capabilities, if necessary. (Right now, the BM server is attached, but
not
running Bordermanager until I finish upgrading to BM3.7).

I've been searching for the best and most secure method of allowing
access,
without complicating the system or adding a lot of adminstrative
overhead
(I'm the only IT person here, and I'm pretty much self-taught...)

Currently, NW WebAccess (iFolder, NetStorage, iPrint, Remote Manager)
are
tied to IP address 192.168.1.100 internally, and
"webaccess.domain.com" on
the internal DNS. I access these via the links created on the "Welcome
to
Netware 6" page generated by the servers administrative instance of
Apache
1.3/Tomcat33. Currently, these functions are not accessible via the
Internet.

The GW Webaccess Agent and Application were installed on IP address
192.168.1.101, running on Apache 1.3/Tomcat33 in it's own memory
space. I
can access GWWA internally, with no problems, using
"gwaccess.domain.com/servlet/webacc".

My question: Since I am limited to a single "public" address by my
ISP, what
is the best network design to allow secure external access by our
employees
to both GWWA and NWWA? Our ISP has assigned two "A" records to our
external
IP address, so "webaccess.domain.com" and "gwaccess.domain.com" both
point
to our Internet public address, and I've already assigned the same
records
internally pointing to the proper IP addresses.

I'd like to keep direct Internet access to the main server
(192.168.1.100)
limited as much as possible...

Any recommendations from the experts would be appreciated!

Thanks in advance.
Robert
***