I have PocketPc devices using Merge replication from Internet and would like to enhance security. I currently have IIS in a DMZ and have SQL in the internal network with holes in the Firewall to allow communication from IIS to SQL. I am thinking that it may be more secure if I moved the Distributor into the DMZ. If I do this, can I close the inbound SQL ports? I'm wondering if the publisher can be configured to initiate all communication between publisher and distributor and allow outbound only ports open on the firewall That way is someone were able to hack the DMZ they couldn't take advantage of open ports to SQL. Does this make sense? Could it work?