Question : VPN/SQL setup and router model recommendation

We have been asked to install our MS SQL server HR/Financial application so that branch offices can use it as well.
This is in a remote part of Asia and internet connectivity regularly goes down so the plan at present is to replicate the SQL databases between the two sites.  Another site will likely be added next year.

* * * Please see attached 12kb .pdf for a simple overview diagram. * * *

REQUIREMENTS:
Replicate SQL database between Site A and Site B.
The router at each site is to provide internet access and site to site VPN capabilities.
Site A
- SQL Server only accept connections from local Site A pcs and Site B SQL server (not Site B pc's).
Site B
- SQL server only accept connections from PC1 not PC2,3,4.


QUESTIONS
SITE A: Limit Site A SQL server connections to site B SQL server and Site A pc's - How is this best achieved?  Withiin SQL Server 2008 or packet filtering on Site A router? Is using non-standard SQL ports recommended or does this get messy.  If so, which router would support packet filtering of the VPN connection?

SITE B: Similar to SITE A, what is the best way to restrict access to the SQL server to just PC1?  In case a SQL logon password becomes knownn to other staff, we want to restrict which pc's can access the SQL database.  I was thinking along the lines of MAC address filtering on the SQL server somehow.

ROUTER model: Suggestions for router model that will allow *EASY* support and configure for this scenario, given that there will be about 10 users at each site.  I like the look of the Fortinet 50B and 60B. Sonic Wall? Cisco Command line too hard?

Any other suggestions to optimise this setup are totally welcome.
Thanks in advance
BLokemann

Answer : VPN/SQL setup and router model recommendation

The scenario is best to accomplish with access rules on the VPN devices. Any better business class device should be able to do a filtering on (VPN) IP address.

My preference is Juniper NetScreen / SSG device, because you can use command line interface AND Web interface, whichever is more convenient for each situation. FortiNet and SonicWall should have appropriate devices, too.