I would never ever put a server on the net with direct file access...I have been burned too many times, you can think you are protected all you want....until the day you get burned, cost your company a ton of money, or better yet jail time.
What is the best way to secure it so that you 1. don't lose your job, 2. don't lose the company money, 3. don't go to jail. If any of these sound great to you, by all means put it out there with no other security than a dmz and a access rule...walls haven't been broken before and they won't now right?
If anything I would employ a system that also could do IPS in addition to SPI in your scenario. I would seriously be considering Xenapp or Remote App with your scenerio...I'd be damned if I give a user direct access to a server.
I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.
In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.
Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.