Thanks for clarifying these points. I’ve not done much with a DMZ yet - as far as I can understand, this will expose the whole machine, not just the network ports, so you have to ensure that your OS is fully patched. Of course, if someone manages to break into your machine, they then have no access to the rest of your network (except through the ports open to the other servers?).
When providing remote support I generally need access to the whole machine through something like VNC. Without using a VPN, an SSL connection for customers to view their system along with an encrypted VNC connection may fit the bill. I agree that the benefits of a VNC look quite compelling.
If I didn’t think networking was a black art before, one look at your link on Wikipedia convinced me. The number of protocols out there is frightening! I dream one day of understanding the basics… 