This question is not particularly related to Apple Remote Desktop; to ARD. It's a generic firewall setup and networking question, so pretty much any directions for your specific firewall will work here, so long as the firewall can forward ports — TCP port 5900, for this case — or if your particular firewall has a VPN server — mid-range and upper-end firewalls often do — or if you can establish a VPN server behind your firewall and configure the firewall to forward the VPN protocols (different from ports) and ports necessary for the particular VPN.
In general... I'd suggest one of three ways... 1: Set up your firewall to port forward TCP port 5900 to the target client. Maybe TCP 5988. Or set up a VPN server in your firewall, and connect to that and use ARD via a VPN. If you need access to more than one system on the target network, you'll either have to use a range of ports to forward to specific systems behind your firewall and which gets to be a hassle with many clients — I don't immediately know off-hand if the ARD client even allows selecting different target ports — or configure and switch to a VPN. 2: Establishing and configuring the VPN server in the firewall will allow access to any of the systems on your target network — a VPN connection makes your local system seem like it's directly connected to the target network. 3: If you have the VPN server running on a system on the target network and accessible via the firewall port forwarding, that target system will always have to be available, and all VPN traffic will be routed via that system. It's more complex, and can also be somewhat fussy to get set up.
If you directly expose ARD ports to the Internet via port forwarding, you'll either want to restrict the source IP ports available (to reduce the breadth of attackers), and you'll want to be very careful about the passwords on the target systems. ARD ports are very commonly probed, and more than a few folks and botnets will be trying to gain access to the systems through password brute-forcing; through trying to guess users and passwords on the target system. Once the attackers have a connection and a password, they'll then try to spread through the rest of the network. (This is part of why I prefer to use VPNs.)
I'd usually select an L2TP/IPsec VPN here, given that client is commonly available in macOS, iOS and most other operating systems.
There is information available on the networking ports used by Apple devices. If you select VPN port forwarding, there are discussions of the ports and protocols needed for whichever VPN you're using posted around the 'net, and not all firewalls are particularly good at port- forwarding the VPN ports and protocols. Low-end firewalls and older firewalls tend to have issues here.
To locate the systems on the target networks, you're left to use dynamic DNS from the client devices or some other means to identify the public IP address associated with the target client. If the clients are roaming across disparate networks and not simply roaming IP addresses on their private networks (those addresses can be fixed via DHCP configurations, too) and if you don't have access to the intervening firewalls, then you're probably going to have to rethink the whole approach, unfortunately. Connecting to arbitrary remote roaming systems isn't particularly feasible, there needs to be something on the client that "beacons" or "announces" its network metadata to your own client-tracking server or to some other entity's tracking server (such as announcements to the DNS servers used by the dynamic DNS providers), or the management connection has to be initiated from the client. ARD doesn't support these mechanisms. Discussions here can get fairly complex, too — both in terms of network setup, and in terms of ensuring security for both clients and servers.
There are some discussions related to this general topic in the forums; see here, here, here, here or here.
The other option is a GoToMeeting, or LogMeIn, or other remote-access provider... As you’ve mentioned. But I usually prefer a firewall with a VPN server, if this is a mid-grade or business connection. ZyXEL ZYWALL USG series is one such firewall with an embedded VPN server, and there are others. If you have an IT team, check with them.
