This will be hard to do with Small Business Server without publisher in a secure manner.
But if all of your users exists in the AD you could place your server in the DMZ and expose it to the web.
Not ideal since you will need to allow access from your QV server to the backend system, thus having them exposed to the web aswell.
Together with a Publiher licence you could segment your deployment so you place the backend components inside the firewall and the accesspoint outside.
There should be some whitepapers on these scenarios, I'll see if I can't find them for you.
Edit: Coulden't find a good one so here is a paint-sample
You could probably place the QVS in the DMZ aswell if you like. I haven't covered any methods of securing the solution but if you want to go all out you add in certificates, reverse proxys etc etc but that is really up the security guys at the customer site, the main part to take away from this is that we support multiple ways of doing it