Yes you can. You have to configure your firewall to permit all the ms ports from the group of address that you will assign the users. From the point of view of AD what ever policies you have for the users whould aply. Take a look at this MS link;
http://support.microsoft.com/default.aspx?scid=kb;en-us;318750.
The one thing that if you are not using a radius server you might have problems with ou memberships since the vpn will only recognize NT 4 type domains. What this means if you are configured as a native 2003 AD you will not be able to use the vpn directly. You should then use the windows radius server or cisco acs server. Also all of your account have to be stored in AD using reversible encryption what make the passwords less secure.
Hope this helps.