System has to opened to the outside world without vpn (for candidates of course). Often a reverse proxy is used to do this (to mask the real server domainname and port).
You have to maintain table HTTPURLLOC for this. Usually only done in PRO so don't forget to test (correspondance sent to candidates with a link to the startpage in it for example)