Hi,
1: MIP/VIP is used for NATting, if you have VPN established then you can directly access the iDRAC. May be you can have VPN configured on the Eth0/2. NAT will be only required if you want to access the iDRAC from the internet and any non VPN site.
2: VM hosts(public IPs) can be directly accessed, no need of NAT or VPN.
3: Check https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_ce_Administration.pdf for different types of config examples.
Thanks,
Vikas