Configuration: NSBS 6.0.3, NW Webaccess, and GW 6.0.3 on a single
and have everything working fine on my internal network. Local
access the Internet currently by connecting directly through the
router (we
don't limit outgoing Internet access, but may in the future, once
BorderManager is installed), and the NW servers can also access the
using a default route to the router.

I'm now preparing to add a BM3.7 server to secure NW WebAccess and GWWebAccess (using my second server license in NSBS6).

We're connected to the Internet via a wireless connection to our ISP,
on "scenario #2" shown in Craig Johnson's "A Beginner's Guide to
BorderManager 3.X" book. (I recommend this book to neophytes like
myself -
definitely worth the cost!) The router performs NAT, has a DMZ
function (all
ports to a particular IP address) and individual port forwarding
capabilities, if necessary. (Right now, the BM server is attached, but
running Bordermanager until I finish upgrading to BM3.7).

I've been searching for the best and most secure method of allowing
without complicating the system or adding a lot of adminstrative
(I'm the only IT person here, and I'm pretty much self-taught...)

Currently, NW WebAccess (iFolder, NetStorage, iPrint, Remote Manager)
tied to IP address internally, and
"" on
the internal DNS. I access these via the links created on the "Welcome
Netware 6" page generated by the servers administrative instance of
1.3/Tomcat33. Currently, these functions are not accessible via the

The GW Webaccess Agent and Application were installed on IP address, running on Apache 1.3/Tomcat33 in it's own memory
space. I
can access GWWA internally, with no problems, using

My question: Since I am limited to a single "public" address by my
ISP, what
is the best network design to allow secure external access by our
to both GWWA and NWWA? Our ISP has assigned two "A" records to our
IP address, so "" and "" both
to our Internet public address, and I've already assigned the same
internally pointing to the proper IP addresses.

I'd like to keep direct Internet access to the main server
limited as much as possible...

Any recommendations from the experts would be appreciated!

Thanks in advance.