A computer system provides authenticated access for a client computer (18) over an insecure, public network (26) to one of a plurality of destination servers (28) on private, secure network, through the use of a client-side X.509 digital certificate. A firewall (32) is disposed between the insecure, public network (26) and the private network. A demilitarized zone (DMZ) proxy server (34) intercepts messages destined for the destination servers (28), and forwards the intercepted messages through the firewall (32) to a gateway (38) on the private network. The gateway (38) is configured to create a cookie, based on the selection of one of several applications (30) available on the private network. The cookie contains an identifier sufficient to identify the destination server (28) corresponding to the selected application (30). Messages from the client computer include the cookie. The gateway (38) processes the cookie and appends the identifier on a destination URL portion of the messages for routing. An alternate computer system authenticates a user of a remote client computer on the insecure network site (26) of the firewall (32) using a user identification and password.