We have been looking into the use of the "Self-Service Console" (SSC) as a means of deploying about 800 soft tokens as replacements for hardware versions in order to avoid having to email out so many QR codes. However when the user attempts to scan the QR code we find that the mobile devices are not able to reach the SSC via an external connection. We do not think it wise to expose our Security Console (appliance) to the internet.
To test this theory we connected a phone via VPN to the corporate network and it worked just fine when scanning the code.
Can someone direct me to the appropriate documentation for enabling this feature without exposing a new security concern?