Alex Paschal wrote :

>Let me get this straight.  They're willing to do one outside initiated
IP-IP
>rule on the firewall (your server-server communication), they're just not
>willing to multiple IP-IP port limiting rules, one for each client?

>Then what about dropping a second NIC in each client and in the TSM
server,
>then create a private segment or VLAN?  It can be packet/IP filtered
pretty
>easily and cheaply if desired, and if the segment is switched, you don't
>have to worry too much about packet sniffing.  Personally, I think having
a
>DMZ TSM server is overkill.

The "outside" TSM server is not on the far outside but rather in a DMZ.
>From the far outside to the inside server is at least three levels of
firewalls.
Maybe an overkill, but those are the conditions we have to live under in
this case.

Also, we don't own all the external clients and we cannot force the owners
to buy extra hardware (however cheap it may be).

Regards

Peter