Here's what ended up working, via: http://discussions.apple.com/thread.jspa?threadID=2725432&tstart=0
The following are the basic steps to configure a "dynamic" WDS with the 802.11n AirPort Express Base Station (AXn) being extended by the 802.11n AirPort Extreme Base Station (AEBSn). Please compare them to what you attempted to see if anything was missed.
One thing to note is that the AXn is not capable of providing simultaneous dual-band operation like the AEBSn. That said, you will only be able to extend the 2.4 OR the 5 GHz radio of the AXn. Since the lower frequency band travels longer distances, I would suggest extending it.
o If practical, place the base stations in near proximity to each other during the setup phase. Once done, move them to their desired locations.
o Open AirPort Utility and select the AXn.
o Choose Manual Setup from the Base Station menu. Enter the base station password if necessary.
o Click AirPort in the toolbar, and then, click Wireless.
o Choose “Create a wireless network” from the Wireless Mode pop-up menu, and then, select the “Allow this network to be extended” checkbox.
o Next, select the AEBSn, and then, choose Manual Setup from the Base Station menu. Again, enter the base station password if necessary.
o Choose “Extend a wireless network” from the Wireless Mode pop-up menu, and then, choose the network provided by the AXn from the Network Name pop-up menu.
o Enter the base station network and base station password is necessary.
o Click Update to update the base station with new network settings.
To use the Lion server for DHCP, you need to simply turn off DHCP service on the AirPort Extreme and turn it on in Lion.
To use the Lion box as a firewall it will need to have two network ports - one for LAN and one for WAN. (Unless you want your LAN side to be provided wirelessly (which I don't recommend)).
I'm a big fan of OSX server and use it at home myself...
so here are some other neat things you could do with a Lion server...
Set up your Lion server to provide DNS names and a domain. When using the Lion server to provide IP addresses (DHCP), you can also allow it to provide other info to the clients, like who's providing DNS. So rather than having to use IPs to refer to your machines, you can give them DNS names. This means you don't have to set up static IPs for each device and you don't have to remember IPs!
DNS and domain name examples: macbook.mynetwork.net, airport.mynetwork.net, etc. (mynetwork.net being your domain)
Set up RADIUS authentication with WPA2 Enterprise for your wireless connection. You "pair" the AirPort Extreme with the Lion server. This means that people who want to use your WiFi have to log in with a user and password.
The user authentication is handled by the Lion server - set up your users in the server's directory.
Set up your Lion server to provide software updates to your Macs This means that your server downloads all the updates from Apple and can then serve them to Macs on your network. Saving bandwidth and time (it's alot faster!) You'll need to either manually point the client Macs to the server for their updates or "bind" the Macs to the server in order to change the appropriate settings for this (which is a big topic best discussed elsewhere).
Have fun.
Best Answer
If you only want to host VNC on your Lion server I'd suggest opening the specific port for that service (TCP 5900) on your modem/router and forward it to your Lion server, as opposed to putting it on a DMZ which fully exposes the machine to the internet.
To be able to get to your server using a human readable address like - server.mydomain.com, you need to own a domain (mydomain.com) and then link your actual internet IP address (that your internet provider gives you) to that domain (e.g. server.mydomain.com). It's pretty much as simple as that if your internet IP address doesn't change (is static). If your IP address regularly changes, this kind of approach isn't really possible...
The easiest way to get a DNS (human readable) address is to use a service like DynDNS or No-IP. These constantly check what your IP address is and keep internet DNS records up to date with your current IP address. It requires that your modem/router is compatible with such a service, or that you run a piece of software on a machine (your Lion server maybe) that's inside your network.
So;
1) Forward port 5900 TCP to your Lion server (Port forwarding settings in your modem/router)
2) Set up DNS so that you don't have to remember your IP and so that if your IP changes, you can still connect back to it.
3) Enable screen sharing on the Lion server. Tell it which users you want to be able to connect. Set a password.
I'd recommend looking into using your Lion box as a VPN or SSH server so that you can do all these kinds of things over a single encrypted link. VNC isn't the safest of protocols!