Hi,
I was considering his options. The obvious one is to build a decent firewall to put in front of it and to harden the server as much as possible. But then
Um, does any of this make sense? Are there any alternatives I should be looking at for him? Or is this just a case of using good old secure HTTP and being done with it?
If you use VPN, you would like to create a LAN with private IPs behind a VPN Gateway. The server is in this LAN - this setup makes sense only if you're not able to secure the machine. Disadvantages are the need for client software and all the trouble with supporting the clients, anyway you have to secure the gateway. Performance/costs are worse compared to a https setup. I would suggest to use a hardend server with only https running, and for more security the usage of a own CA, in combination with a configuration that checks client certificates. In such a setup you will need username, password and certificate to access the web service. Ciao, Dieter