The safest way to do this is to ensure that you are safely communicating. This is often done by connecting via a VPN first. Once you are connected, then you can use ARD to remotely control the machine.
You can open port 5900 and allow direct observe/control via your public address. However, this is not recommended because of the possibility of exploit. Plus, unless you have a ton of public addresses, the use of the port forward will allow control of only one device. By connecting via VPN you then have access to all devices on your network.
VPN can be configured on your server as it offers PPTP and L2TP. If you have a firewall, you might have access to IP/Sec or SSL depending on your device.
Reid
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available in the Apple iBooks Store