Typically your LR architecture is within your corporate firewall. This is best so it is secure and easy to administrate. Eventually you will come upon a case where the AUT is outside the firewall as you say. There are two main options:
1. Use MIListener and MoFW (Monitors over Firewall)
This can be complex as Jeffrey mentions above. I would do this only if the option below is not possible.
2. Punch a firewall hole from your generator to the main URL or VIP or wherever your app is.
I'm going to try to illustrate this with some ASCII art. :)
LR Controller <----> LR Generator(s)
-----|--------------------|---------- (corporate firewall)
--> External app <--
So your controller (or SiteScope) will collect metrics from the AUT. The generator throws the load at the AUT. Either port they use (:50000-or something) will be needed from your corporate FW to AUT.
Using MIListener looks about the same, just put the MIL on the FW line with a dual-homed machine that faces inbound to LR and outbound to AUT.
I hope this helps you!