Wow this is still looked at... been a while since my bit on sql.
for an outside client to get at the data my general plan is to use another server to manage the request.
examples include web services / xml or an app server remoting the data
any client on the "outside" of the corp. data center should never see the IP of the SQL db server.
should never have direct access to it via SQL connection.
and in many cases a middle server can cache some data thus reducing the work load and # of connections on the sql server.
less vulnerable, more scalable, more managed.
seems good to me.