Hi 

At the one end of things you might want to secure your IPA server in your production network however this might not be reachable from other networks (your network policy.) At the other end of things you might want to place it in your most accessible network however then the system is more at risk from outside involvement. Worth remembering there is no "read only" version of IPA (yet.) The point here is that if you have some secured IPA instances in production connected to IPA servers outside of production then your whole IPA infra is exposed by the member in the weakest security zone.

We run out IPA infrastructure globally with VPN connected sites, no issue there. I don't have experience of road warrior VPN clients though. I'm not sure how IPA behaves when hosts connect with possibly different FQDNs for example.

Regards
Angus