You can grant access to the node's JSON-RPC API to external IP addresses using the rpcallowip runtime parameter, but this means that anyone with the username/password of the API can do anything on that node, including sendings its assets, etc... So you probably want to set up an intermediary API that your end users call, with some kind of authentication mechanism, and which then triggers action on the MultiChain node.
