The first question would be how many users and how would you best consider getting them access to the remote IP address?

Will you have a VPN setup for the users? That is probably the most secure.

That question needs to be answered first before you craft a web service API for consumption by the client.