We are trying to determine the best way to establish access to workstations in remote locations that are unable to connect via VPN. The proposed idea is to establish a high-speed connection via sattelite, which won't support VPN traffic due to it's inherint latency (we're too cheap for frame-relay or fractional Ts, DSL and cable are unavailable to these areas). A hardware firewall/VPN box (with VPN disabled) will be used at the remote locations and will support NAT, and we will continue to use our private IP scheme at the remote network with the public IP assigned to the firewall. The question is connecting to each individual machine at the remote location: should I build a server for each remote location to performing routing for that location; would it be better to get a public IP for each machine and provide a 1:1 address map; are there other suggestions that are better? How can I connect to each individual machine without establishing a VPN tunnel?