There is an advantage for keeping the LoadRunner Controller External. The key advantage is that less hardware is needed. Specifically you do not have to set up the MI Listener which would typically require two additional servers .

**Note: As long as your Load Generators can access the AUT (as a real user could) and then your Load Testing can be accomplished .**

Typically your LR architecture is within your corporate firewall. This is best so it is secure and easy to administrate. Eventually you will come upon a case where the AUT is outside the firewall as you say. There are two main options:
1. Use MIListener and MoFW (Monitors over Firewall)
This can be complex as Jeffrey mentions above. I would do this only if the option below is not possible.
2. Punch a firewall hole from your generator to the main URL or VIP or wherever your app is.
I'm going to try to illustrate this with some ASCII art. :)

LR Controller <----> LR Generator(s)
| |
| |
-----|--------------------|---------- (corporate firewall)
| |
| |
| |
--> External app <-- So your controller (or SiteScope) will collect metrics from the AUT. The generator throws the load at the AUT. Either port they use (:50000-or something) will be needed from your corporate FW to AUT. Using MIListener looks about the same, just put the MIL on the FW line with a dual-homed machine that faces inbound to LR and outbound to AUT. I hope this helps you!