That is correct - you also wouldn't port forward the HTTP port over from the public internet - the FPMI server would have an internal LAN address.
FactoryPMI's SSL implementation is based on Apache Tomcat, which is a very widely-used (and thus well-tested) product.
Stepping back a bit, SSL and VPN aren't equivalent technologies. SSL provides encryption for HTTP traffic. On a port-forwarded setup, outside parties only have access to the FPMI server through its HTTP port. So, only HTTP requests can be made. VPNs put the computer "virtually" on the host network, and then encrypt all communication.