before digging for several hours in the BM manuals and to avoid having
done that for nothing, I'd like to check if the following is feasible with

I'd like to have my clients authenticate via an applet (which is an option
in BM apparently), possibly in combination with a token, to the BM server.
If they log on succesfully, a NAT-ted session for certain protocol should
be allowed to certain internal servers. From what I gathered, this means
setting the BM up in a reverse way.

Is this do-able?