I'm not sure exactly what you are asking for, but I'll take a shot.
First, most applications that require client/server type applications exist in a layered architecture. This means there are external parameter firewalls (packet filtering), DMZ and, finally, a secure bastion firewall on the inside. More important, there is a DMZ in place!!!
Second, you want to connect to an application server in the DMZ, then to the Server. I would not place the database server in the DMZ, but I would place an application service (Web server) in the DMZ. This device should NOT be in a domain (if using an NT network), instead it should be stand alone.
Third, you may HTTPS (SSL) to the DMZ from where ever, thus that connection is encrypted.
Finally, the connection from the DMZ application to the server is the only connection allowed through the firewall to the internal private DMZ or network. I would make this a non-standard port not used by any other application. This connection could be any form of SSL, SSH or other method. When this link is also encrypted, it ensures there is no traffic in clear text.
This would wrap up any malicious code or vulnerabilities. DDOS and other attacks should not penetrate. Also, remember the following actually keep this configuration working:
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Demilitarized zone
Best Web Links: Firewalls
Best Web Links: Outsourcing