Please see the following MOS note:
380490.1 Oracle E-Business Suite R12 Configuration in a DMZ
You will need to add a 2nd middle tier node / machine that sits in the DMZ (an area of your network which allows limited access to certain ports from the general internet). For example, if you are using iStore, the "store" is generally on the DMZ node and accessible from the general internet.
You will want to have a shared APPL_TOP from between your first (main) applications node and your second (dmz) node -- that you only have to patch once, not twice.
See the above note also for architectural diagrams.
Hope this helps.