Check the PBX Nodes in the UC Blade on the MAS server for making sure that your UC is pointing to your PBX correctly. There may be other areas on the MAS you need to reference the PBX, I can't remember.
But, yes those port openings work and I believe that the performance is better than using a VPN. Especially since UCA is often set to load on startup, if it's reliant on a VPN, that would add further difficulty to require a VPN connection before loading UCA when outside of the office.
As to what's safe and what's not, I'm not a security expert. IMHO, using UCA with ports open to the MAS - and just the MAS - is good enough.