VPN Security Versus Plain Old TLS
Solution 1:
The solution greatly depends on your authentication method, and the user base. VPN access only is simpler to architect, however you may be exposing more of your internal network than you want to for these App users, and you WILL hear endless complaints from the users who now have to jump through at least 2 more hoops to connect and authenticate to the VPN.
You have to first figure out where you will be locating the server:
- Inside your firewall with VPN
- Inside your DMZ with reverse proxy, shared authentication
- Co-located or cloud with shared auth, or separate user account management
Then if it's for internal users only vs. external membership. There are many options for integrating with existing user databases, using Kerberos, NTLM, PKI, internal app auth (database), or web-server (.htpass/LDAP).
If it's for internal employees then Managed PKI through Verisign or Entrust might be worth looking into. This allows you to manage and deploy security certificates for Public/Private key authentication. You can put the server in a reverse proxy (mod_security) to monitor and filter out Internet attacks, then authenticate via the certificate (example). It's pretty expensive though.
If it's for public consumption, then standard HTTPS + LDAP is often the most economical choice. You can sync the LDAP roles database nightly etc. to avoid having to manage multiple sets of user accounts.
We actually chose to stick with the VPN for the first few phases of our web-app. We had enough control over user laptops to be able to support the overhead and maintain the security. Ultimately we'll go with managed PKI along with AD/LDAP sync. for RBAC. Good luck.