IIRC SBS can act as a server, but its not very good at VPNs. You can tack on ISA Server to SBS for firewalling but once again its not as good as a real firewall.
I'd chuck on a Netscreen 5GT or 5GT Plus (5GT is 10 IP version, Plus is unlimited IPs protected by the firewall, so if you only say 8 users buy the 5GT, if you have 20 users, buy the Plus).
If are running any services on the SBS server such as email (ports 25, 110, or 143), or Web the 5GT can add extra protection with Deep Inspection - application layer firewalling. Stops all those hacker nasties and worms from attacking these applicaitions on your server where a normal SPI firewall (ie equivilant Cisco and Checkpoint products) lets these attacks straight through.
I also recommend a service contract with any 5GT's I sell, it enhances your warranty, support, and you get all the firmware revisions for one year.
Now, heres the catch, if you buy 5GT+Deep Inspection sub for 1 year+Service contract it works out to within a couple of bucks as the 5GT Antivirus + Service Contract (AV service contract includes Deep Inspection and AV updates for 1 year). So even if you don't use the antivirus you practically get it free.
So you buy the AV version
Then you buy VPN Client, NS-R8A-010 or NS-R8P-010, this licenses up to 10 users, the R8A is essentially the Safenet VPN Client rebranded, and the R8P is the Safenet Client with the Sygate personal firewall. The R8A is cheeeeeeeap, probably US$100 for the 10 user.
The 5GT will support up to 10 concurrent VPN users, it does up to 20Mbps of 3DES IPSEC traffic, so its a nice fast little box. It also supports things like traffic shaping within the VPN tunnels, extremely helpful for things like Terminal Services sessions.
I could go on all day about the 5GT's features, its a wicked piece of hardware. Brochures are here:
http://www.juniper.net/products/glance/nscn_5.html and here
http://www.juniper.net/products/glance/remote.htmlHope that helps.
