Remote access options to SBS 2008 and security implications

Thanks for the info.  As for the certificate, are you talking about something like what's advertised at clickssl.com?  Can you tell me, briefly and simply, what it is and how it works?
Thanks

The SBS 2008 has built into it the ability to issue a self signed SSL certificate.   SSL stands for Secure Socket Layer.   Whenever you type https:// in a url, you are using SSL.   This creates an encrypted trusted connection between the two computers.   This typically occurs over port 443

This article on Technet explains certificates and their creation and use in SBS 2008
http://technet.microsoft.com/en-us/library/dd353115(WS.10).aspx

Godaddy.com offers fairly inexpensive trusted certificates as well

It really depends on the budget for the business.  Without a certificate, Mozilla will pop up a large warning when you first try to connect.  You must accept the certificate before you can go forward.  In IE, you receive a warning stating continuing is NOT RECOMMENDED.  It is an extra click but not a show stopper.
   Prices have come down for basic SSL's.  Register.com is offering one for less than $13 /yr. http://www.register.com/promo/ssl_essential_1.rcmx?trkID=SEM171Vt3W&gclid=CNe6wfO-66cCFRx3gwod_QWubw

Thanks for the input.  All are useful in one way or another, and I'll grade accordingly.  But one question remains unanswered - which method of remote access is better, if any?

As mentioned in my first comment, VPN would be deemed most secure as you are creating a point to point secure connection between yourself and your corporate network.

Remote access via HTTPS will be more accessible if your in a hotel or abroad as HTTPS is unlikely to be blocked where as VPN ports may be.

The piece of the puzzle that is missing is what type of VPN are you using?   PPTP (traditional VPN) or IPSEC VPN or SSL VPN.

If you're using traditional PPTP VPN, there is no layer of encryption involved.  While it does create a dedicated connection to the corp network using the internet, it's relatively insecure.   VPN of any type also requires a lot more bandwidth than using RWW.   RWW only sends video and keystrokes accross the net, where as VPN actually sends lots of data accross VPN

IPSec VPN is more secure than PPTP, but still is not secure as any SSL based protocol.

If you want the highest level of security for remote access, you should be using an SSL connection, either SSL VPN or RWW over SSL AND a second factor of authenication such as the product from Scorpion Software called Auth Anvil made specially for use for SBS but there is an added cost to that with both hardware and the authenication tokens

There are some Microsoftie's who'd disagree with the idea that an SSL VPN is MORE secure than remote desktop in Windows 2008:
 the Remote Desktop client uses encrypted Hypertext Transfer Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway authenticates the user (via either a password or a smart card), verifies that the user is authorized to connect to the destination computer and then uses Remote Desktop Protocol (RDP) to complete the connection on your private network.
(quoting from biztechmagazine.com)

I was not suggesting that SSL VPN was more secure than Remote Desktop
Remote Desktop by itself is not secure at all.
TSWeb or RWW are secure becaus they use SSL

Further to CrisHanna point, you can use SSL to secure RDP as well.

Exactly, RWW uses SSL with a variation of RDP and TSWeb an is secure, but if you want real security, using two form factor security is the real way to go

Thank you all for your responses.  As I said at the start, we're new to this, so we're just "following the bouncing ball", with nothing added.  It sounds like we'll need to pay some attention to exactly what we're actually doing (we're not really sure what it all means), but from what you've said, RWW is a better way to go because it uses less bandwidth.
Thanks again