Tunnelling Windows services to remote secured hosts

Here is an interesting security problem I have been fighting with. It
involves Microsoft software and a firewall I don't control, and my efforts
to fashion a secure solution with and in spite of these things.

If anyone has suggested solutions, I would welcome them. If not, it would be
nice to identify specific improvements that would solve the problems.

The Problem: tunnelling Windows smb service.

A remote computer, behind a fairly restrictive firewall, needs to access a
local samba server. The samba server provides services on a local,
unrouted network by a host that also has server routed network addresses.

The file systems served have some sensitive files on them. The samba service
is jailed
such that a compromise should not threaten the server in a meaningful way.
But if the samba server itself has a bug, or the Microsoft smb authentication
is weak or sniffed, the files would be exposed, and I would like to avoid that.

Therefore, the files are served only on an unrouted local network, to hosts
with local addresses. An attacker would have to break into these hosts, and
then gain access to the server. This is certainly not impossible, but it is
quite a bit harder than a direct attack,
and there are intrusion detection systems that are likely
to detect the first break-in.
Placing the samba server on the external network would be an unacceptible risk,
opening it to a variety of attacks and probes.

SMB over ssh?