IIS can be configured to listen through a custom port. So
http://www.yoursite.com would become
http://www.yoursite.com:5000. If you are using a properly configured VPN then you should be able to leave SQL at the default port. Basically, a VPN is a secure tunnell between fixed IP addresses with encryption happening bi-directional on all traffic on all ports. If your firewall is set up properly, use the VPN and treat the remote site exactly like it was on your LAN.