I've moved this post to Server Administration (Connect with other Tableau Server and Tableau Online Admins to learn best practices for upgrades, scaling, permissions, and more), where you would probably get more replies.
I don't know. When users are outside the LAN do they use a VPN to connect to the company network? If not that may be the way to go.
We use Citrix instead of VPN. Our IT manager wanted to give users the option to access the clickOnce application + tableau without having to login to citrix.