As noted, you need more than just a SUP. Clients must also be able to communicate with an MP and a DP. Ultimately, this is all just web traffic so you can present these roles to the clients on the Internet in multiple ways. The two most common (and recommended ways) are using an existing site system (or systems) in a DMZ to host these roles or to use a reverse proxy to enable client communication to reach the roles on an existing site server or site system. I would strongly recommend, for security reasons, not to reverse proxy to the roles hosted on the site server though if that's the path you choose. We don't have an explicit documentation covering these scenarios anymore although the ConfigMgr 2007 documentation to cover it. Also, keep in mind that device authentication for Internet clients requires PKI-issued client authentication certificates.
Using a CMG makes all of the above moot though and is quite easy to deploy with no infrastructure cost or additional security burden.