OutSystems Now - Securing access to mobile applications (Internet/Intranet)

OutSystems Now - Securing access to mobile applications (Internet/Intranet)

  
I am in the process of incorporating OutSystems Now functionality to give mobile devices access to selected mobile applications within our OutSystems environment. Currently, we have three environments configured on our Intranet. Development, UAT, and Production. OutSystems Now is installed and functioning within the development environment. We are utilizing Active Directory for authentication. Currently, a VPN connection is required for mobile devices to gain access to our Intranet and to our OutSystems applications. 
 
What I'm looking to determine is what would be the best way to grant access to our mobile applications from mobile devices without requiring a VPN connection? What would I need to request from our IT department to make this happen?

I'm assuming a separate 'mobile' environment would have to be created which is exposed to the external Internet? Is this something we could implement ourselves, or would a 3rd-party option be the best way to go?  
 
Thoughts? Sample scenarios? Suggestions?

Any help would be greatly appreciated! Thanks!
Well, in our scenario, we have a separate production environment (which unfortunately costs extra license fees) that serves the web pages, and communicates via web services (SOAP or REST) to our actual back office to retrieve the data. The reason for this set-up is that in the event a hacker manages to break into the front-end server, no data is compromised, as the database containing actual customer info etc. is not available to that server. The few alternatives that exists are all far less secure, e.g. allowing all mobile devices direct access to a server within your company network (I don't need to explain why that's a bad idea :)) or have a front server in a DMZ that communicates with the mobile devices, but connects to the database inside your company network (which poses a security risk, as breaking into the front-end server allows a hacker to gain access to all your company data in the OutSystems database through the database connection the front-end server has access to).
Greetings,

You won't need a specific environment for mobile. There's a feature called "Zones" in Service Center that allows you to deploy applications just to the front-ends you want. Your IT department may want to add one or more new front-ends, exposed to the internet, remove them from the default zone, and publish only your mobile apps there.

This approach assumes you have some apps that you don't want to expose to the internet. Otherwise it's simpler - just open up some ports on your firewalls and voilá.
Yeah, just open some ports, and if your front-end is compromised, your data's out on the street. No thanks.
Thanks for all the feedback guys. Our IT guys are very picky about opening up ports. Especially on servers living on the public side of the wall. A separate production environment will most likely be the route I will be taking (to remain among the living!). The 'Zones' feature sounds very interesting as well. I will definately be looking into that suggestion for publishing the mobile applications. I also like the idea of communicating with the mobile applications via web services. This will surely make our resident DBA a happy camper as well. 

I'm planning to incorporate 'Two-Factor' authentication for the mobile applications as well. I downloaded a component from the Forge that I modified to send its authorization codes via email instead of text message. It works fine, but I was wondering if there was a solution to incorporate Two-Factor authentication within the OutSystems Now native iOS application? Reason being, it would be nice not to have to incorporate the downloaded component into all of my individual mobile applications.

Thanks for all your help guys! You guys are awesome! My upcoming meeting with IT may not be as painful as I was anticipating. :-)

Thanks again for all your comments and suggestions. Keep them coming!
You're welcome Daryl, good luck with the meeting :).