This should include systems that provide services on the internet such as email servers, web servers and other systems such as the firewalls that are in place to prevent unauthorised access from the internet into your system.
External testing should also include any systems you have in place to allow staff to connect into your organisation remotely. These remote access solutions normally involve VPN that should be tested as part of your external assurance.
If your organisation is dependent on third-party suppliers and they have access to and from their own office locations this should also be considered as an external connection and tested.
Network Penetration Testing