I have always heavily restricted access through my firewall. I have a situation where a user needs public access to a server from the Internet. I told him the device would sit on the inside of the network and he could VPN into our firewall and then access the device. The device is a security system and when you log into it you can stream camera feeds from cameras around the building. He claims the MTU’s added by the VPN will slow down the stream to the point it will be unusable and he will need a public NAT’ed IP address. I am not too sure on the MTU’s? I was thinking of putting the device on my DMZ and letting him access it that way rather than it sit inside the network NAT’ed to a public IP address. I think if I did it this way I should be fine and I would pass a security audit if I ever had to go through one.