Hi Allan.
You do not need to publish the Directory Server to the internet. You only need to publish the individual component of it called the WebSTS. This component serves to provide a login screen to use with the Directory Server hosted locally on the same machine. It does not expose any part of the Directory Server to the web other than the login call.
I should add though that I cannot guarantee that this particular setup works since it was not specifically designed for it... though I can't think offhand of any reason why it wouldn't work.
Edit: Sorry, totally slipped my mind that this won't work at the moment because Social BPM and Directory Server currently only support forms of LDAP and Active Directory or eDirectory users, so your users will not be able to authenticate over the internet. Stay tuned for ways of making this work in the future though.