The BEST practice would be to forward port 1723 to your Windows 2003 server. Enable VPN on the server. The reason I say this is the best way is because that way you can use your Active Directory authentication. Also, if your domain is set up the way mine is, the server has both an internal and external network, and the external is hooked to the router. Enabling VPN on our router would require me to reconfigure our server to allow services through our external LAN on the server, which I believe would open us up too much. Anyways, that's my suggestion. Later