Systems like this usually have a complex setup. Your staff portal should be housed on a machine inside your company network, and should not be accessible from the public network.
The public portal, of course, must be on a machine that is accessible from the public network. The machine should have everything turned off that you don't need, and should have an external firewall blocking network ports you aren't using - assume that someone will attempt to break into the machine, and provide them as few paths to try as possible. This machine will need network access to the database, but that access path should be tightly restricted as well, to prevent a successful attacker from entering your secure network.
The database should be on a third machine, accessible to the two portal machines, but again, heavily firewalled to prevent attempts to access the database without the portal code.