It is a really bad idea to use SSO trough internet, since it would require for you to open a lot of ports trough your router to the world, and make your DC vulnerable. And hackers love vulnerable DCs.
If you still want to, you will need to open these ports in your firewall.
Your easiest solution would be to use a vpn. Another option would be to set a reverse proxy on your dmz for the kerberos protocol and for your IM ports. That may require a bit of work, but it should be doable.