I totally agree with Daniel and also Gavin.
From outside, using a VPN is definitely the way to go.
VPN is something I would implement on the firewall which would be a separate appliance to the host - As you know a Cisco Router with the IOS IP Plus/FW/3DES image or a NetScreen dedicated FW appliance are what turns me on.
To me, the advantage of SSH is I know I can connect into the machines from anywhere in the world. I'm happy to, if necessary, mess with keys to get this level of access, but I'm not happy to say "I can only connect from this netblock and these two other IPs." When you consider the proliferation of SSL VPN technology (such as OpenVPN) these days, why is a VPN any different to SSH itself? They are both SSL encrypted connections. Running telnet over a SSL VPN sounds exactly like using SSH to me. Why add extra complexity? Craig