If you have a network router that shares its Internet connection with computers on your intranet, such as an AirPort Extreme Base Station (802.11n) or a Time Capsule, the router isolates your intranet from the Internet. These Internet-sharing routers protect your intranet against malicious attacks from the Internet by blocking communications that originate outside the intranet.
Computers on the Internet can’t access your server unless you configure your router to expose specific services on the Internet. For example, you might expose your Wiki and Websites services on the Internet, but not file sharing. You can still control access to wikis by requiring users to log in to view them. The process of exposing individual services to the Internet is called port mapping or port forwarding.
Internet users can access your exposed services by using an Internet host name, such as server.example.com, that you register with a public DNS registrar or a DNS hosting service. Your registered host name points to the public IP address you got from your ISP and configured your router to use. Internet users can also access your exposed services by using your public IP address directly instead of by using an Internet host name.
When using your Internet host name or public IP address to access a specific service, such as your Wiki service, users actually reach your router. If you exposed the service, your router forwards the request to your server. If you didn’t expose the service, the router doesn’t forward the request, and the user can’t get that service from your server.
If you want to let Internet users with accounts on your server access services that aren’t exposed to the Internet, you can turn on VPN service. It provides a secure remote connection to all services on your intranet.