I am wondering a little about the ports and routing requirements for
windows file shares (using samba servers, and windows clients). We will
have at least two LANs which are mostly kept separate, but at least some
clients on each side will need access to file servers on the other LAN.
The two LANs will be joined via a router and firewall (which also
controls access to the internet and DMZ). We don't have a windows
domain, just a simple single workgroup.

As far as I can tell from the samba documentation, I need to consider
name service access (udp 137, udp 138) and the actual file share access
(tcp 135, tcp 139, tcp 445) slightly differently. To get naming
services working properly, so that clients can find the servers (on
either side), each client and server needs name service port access to a
common WINS server (which will also be the domain master browser). I am
not sure, but I think the WINS server also needs to be able to access
the local master browsers on the LANs using the same ports. It is not
necessarily clear which computer on each LAN is the local master
browser, as that depends on the "election" results - thus the WINS
server needs access on udp 137 and udp138 to each machine on the LANs.
I'm not thrilled at having to allow such traffic, but I can live with it
if it is necessary.

For the actual file sharing, any client wanting to access a particular
server must have access on tcp 135, tcp 139 and tcp 445 - that's just
standard firewall and routing rules.

Is that correct, or am I missing / misunderstanding anything?

I am also interested in controlled access to file servers from outside
(laptops and home office machines). The obvious solution would be a
VPN, but are there any other secure alternatives? I've been considering
using WebDAV (over https), since newer windows machines can access
WebDAV sites as file shares and mapped drives, or using SFTP along with
WinDrive (which allows mapping drives for direct access) or WinSCP
(which provides indirect access). Direct access such as WebDAV or
WinDrive are convenient for the users, but indirect access like WinSCP
(where the transfers are handled by a specific program) are more secure
in that other programs cannot directly access the shared data. I'd be
interested to hear of any experiences or opinions on the security,
reliability and convenience of these methods.

mvh.,

David