I have a client who needs to run a server application that clients connect to via https. It runs on IIS server, and I've been having a problem with the in-office clients timing out and the application freezing dead.

The server is not externally exposed as of yet, and the solution I found was to set the http timeout on the root website in IIS to one hour. My problem is I don't know the implications of exposing a configuration with such a long timeout to the Internet.

What should I do to minimize risk?
What is the highest reasonable timeout for a web-server?
Should I filter ALL ports except the SSL port? It doesn't need to provide ANY other externally.