Both VPN and Reverse Proxy can be used for sharing the data with external users.
When you setup a VPN , users first need to login to company's network using VPN and then they will have to access Windchill as of they are in the same network.
Reverse proxy is used where Windchill server is exposed to outside a company network using a proxy setup.
With reverse proxy, external users don't have to login to VPN. They can directly access Windchill(for downloading contents) from their own machine(outside network) in Creo or standalone browser.
PTC documentations provides the information about configuring Reverse Proxy using Apache but they do not recommend and support it on Production. For Production, the networking tools like Loadbalancer(e.g NetScaler, F5 etc) needs to be configured where rules are added. With these rules, external requests are routed properly to and from the Windchill server.
As you have said, external IPs can be marked as trusted by networking team to make sure that system is not exposed to entire world.
Windchill works on Port 80 for HTTP and 443 HTTPS, so these ports need to be opened for external network users. HTTPS is the recommended as you don't want to pass on the non encrypted traffic to outside network(user credentials). Also, there are few properties which needs to be set. You can refer to article:
https://www.ptc.com/en/support/article?n=CS68466
