before digging for several hours in the BM manuals and to avoid having
done that for nothing, I'd like to check if the following is feasible with

I'd like to have my clients located on the internet authenticate via an
applet (which is an option
in BM apparently), possibly in combination with a token, to the BM
server, .
If they log on succesfully, a NAT-ted session for certain protocol should
be allowed to certain internal servers. From what I gathered, this means
setting the BM up in a reverse way.

Is this do-able?