VPN's (depending on the type and the implementation) can port filter.
Have you checked with your network folks?
When I worked IT for a bank, we were very specific with what could be touched through the VPN. At the very least it was limited to specific ports globally, and then further to specific ports for specific systems.
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.