Howdy experts. I have a customer that is going to be running a gateway at a remote site. Management and one gateway will be in one site, with a second gateway in another location. Both gateways will be using Primary/Backup ISP redundancy. 

I'm struggling to find the best way to manage the gateway at the remote site. In the past, I've managed the gateway through either a VPN connection between the primary site gateway and the secondary site gateway or, if a VPN is not in the equation, just through the internet facing interface of the gateway.  By "manage" I mean management server to gateway, not WebUI or SSH.

Since the gateway will basically have two IP addresses that are internet facing, should I manage the gateway from the external interfaces or should I manage it through a VPN to the IP on the internal side of the firewall? Is there a prevailing best practice here? 

Also, can a management appliance manage gateways through different interfaces, for example, one gateway is reachable from management through the MGMT interface while the other is reachable through the Eth1-01?

TIA