...
Don’t expose your CAS, your server, or your network - to anyone you don’t completely trust.
Make the network private and inaccessible from the Internet by using a VPN.
Hide your terminals and CAS server behind a VPN.
Give VPN access only to your verified terminals. There are multiple ways to deploy VPNs. T
Preferred: have physical routers in the machines to perform the VPN tunnelling.
CAS is also capable of establishing a VPN tunnel, however a hardware solution is more secure.
...