Safest way of doing it is over VPN.
So only VPN ports open on the router (+ any other public services if you run any - http, https, etc)
Connect via VPN to your server and then you are on the internal network and you should not have to open any additional ports on the router for your remote administrator software.
When you say administer, do you mean something like control your parent's Mac remotely, or do you mean officially adminster a classroom full of Macs? If a classroom full of Macs, then you are most likely taking about using the Apple Remote Desktop software which you pay for.
If, as I suspect, you just want to control your own or a family member's Mac remotely, then you do not need to pay for anything.
If you need Screen Sharing, you open port 5900 (the VNC port)
If you need File Sharing, you open port 548 (AFP)
If you need access to the Unix command line, or you want to use the ssh 'scp' or 'sftp' file transfer commands, then you need to open port 22.
Visit <http://PortForward.com>, they will provide port forwarding instructions for just about every home router out there.
I would also suggest you get a free dynamic DNS name so you can address the remote Mac by a constant name instead of having to know the current IP address assigned to the home router, which the ISP can change anytime they want. No-IP.com or DynDNS.org offer free dynamic DNS names. You run one of their dynamic DNS updating clients on the remote Mac to keep the dynamic DNS name updated with the current ISP assigned IP address.
Once you have the port forwarding working, you connect for screen sharing using
Finder -> Go -> Connect to Server -> vnc://address.of.remote.mac
and for file sharing
Finder -> Go -> Connect to Server -> afp://address.of.remote.mac
If you are going to use ssh, scp, or sftp, then from an Applications -> utilities -> Terminal session you would do something like:
scp local.file email@example.com:/path/where/to/put/the/file
scp firstname.lastname@example.org:/path/of/file/to/get /local/place/to/put/the/file
There are also sftp GUI clients you can use to make this part easier.
If you really cannot get this working, then consider using something like TeamViewer.com which deals with all the messy home router NAT navigation.