A software firewall with web interface / login possibilities for single windows server
Solution 1:
If this is a company setup we're talking about here, there's no reason at all for that SQL server to be accessible from the internet.
If you need to allow access from roaming clients, use a proper firewall with a VPN solution. Watchguard and Palo Alto both have really good VPN solutions. Also check if a current firewall of the company has this feature already, most do.
Again, I can not stress this enough, use a proper firewall!
Solution 2:
We have a single web server with SQL server etc
Possible a poor design choice - web servers and databases both like to have lots of "room" to run around in. Having both on the same server might give you contention problems.
We need to allow access to the database directly so our customer can write reports ... SSRS
Why? If you already have a "web server, SQL Server, etc." on this machine, why not install SSRS as well and give them access [to the web interface] to that?
We original had the DB just sitting on the internet ...
No. Just, no.
Web servers have built-in protections against the kind of "nastiness" that exists "Out There". Databases servers do not. You must "insulate" your databases from the "undesirables".
Running the SSRS application through a Web Server is a straightforward way to achieve this.