Here goes a complete list of options (from the wiki) of how the LDAP integration could be setup:

LDAP typically uses one of these types of communication channels: 

 A MID Server connection communicates over HTTP on port 80 by default. This communication channel does not require a certificate. The connection between the MID Server and the instance is over HTTPS (port 443). You can use the MID Server to import data over LDAP, but you cannot use the MID Server for LDAP authentication. Proceed to Define the LDAP Server. 
 A standard LDAP integration communicates over TCP on port 389 by default. This communication channel does not require a certificate. Proceed to Define the LDAP Server. 
 An SSL-encrypted LDAP integration (LDAPS) communicates over TCP on port 636 by default, This communication channel requires a certificate. Proceed to Upload the X.509 Certificate to obtain and upload the certificate. 
 A VPN connection communicates over an IPSEC tunnel. Purchase or create an IPSEC tunnel on your local network. Proceed to Define the LDAP Server. 
A MID server initiates one connection to an LDAP server via port 398, then initiates an encrypted HTTPS connection to an instance via port 443 to push data to the instance. When using a MID server, the instance does not make the connection to the LDAP server. The MID server does. 

The instance can also connect to the LDAP server directly, using LDAP or LDAPS, either over the internet or through a VPN tunnel. 

For more information about VPNs, Mid Servers, and LDAP, see You Don't Need A VPN Part II on the ServiceNow Community. 

I hope this helps.

Thanks,

Berny