Accessing Bitbucket Server outside firewall

It's really a question for your IT and InfoSec teams. There is no technical reason why this can't be done, but there are often business reasons why.

So that you can have an effective discussion with those teams, here are some things to consider. Bitbucket allows you to set permissions on a per-Project and per-Repo basis.  It's possible to create a group for your external users and grant permissions to only the code that they are supposed to access. In order to do what you are asking, your IT team will need to poke a hole in your corporate firewall and allow inbound HTTPS and SSH (TCP ports 443 and 7999 by default.) You may also want to allow inbound TCP/80 and redirect all that traffic to TCP/443 to make life easier for users, as well. This will make your entire Bitbucket instance open to the internet, and you will rely on application permissions to protect your code.  Some InfoSec teams are ok with this and some are not.  Unfortunately, Bitbucket Server makes it a little too easy to expose a Project or Repo anonymously, so you should also have a plan to discuss how the tool will be administered so that you can be ready for that discussion. It would also be a good idea to propose regular access audits to ensure that the right people can see the code they are supposed to and not see things  they are not supposed to see. This may also involve changes to your onboarding and offboarding processes to ensure that access is granted and removed when appropriate.

Git allows you to pull from one host and push to another, so it is possible to create a read-only mirror of certain repos and put those on a publicly accessible server. This will allow remote users to pull down the repo, but they will still need to push changes to the main internal server.  This feature is most useful in cases where users are on a slow link or otherwise experience slow cloning of repos. You can push a copy close to the edge where they users are and the only traffic that goes back across the long haul link is the push requests, which are typically fairly small.

Another option is to declare some repos as able to be placed on a Cloud Bitbucket instance and have the remote people connect to that. Your repos that need to be kept secure can continue to live on your internal Bitbucket instance and satisfy the InfoSec team.

We encounter this situation frequently and it's always difficult to predict what will be possible.  I have found that being honest with the InfoSec team and providing the business and security facts so that everything is properly disclosed is the best way to proceed. You may need to get buyin from a high level sponsor, such as your Engineering VP, in order to persuade InfoSec to see your point of view. :) Good luck! I hope that helps.