I concur with Dirk, I don't believe there's a built-in way to deny login access for just certain users from certain networks. But of course, the authentication to the OVA image itself is all handled at the operating system level not the Portal application level, so there may be ways to achieve what's desired at the OS level that I'm just not familiar with yet. A quick Google search should suffice for that, as I would be willing to bet there's some authentication apps that can always be installed that can meet that requirement too, hopefully even some open source ones.
If you want to avoid all of that though and they are hesitant about putting in the DMZ then but feel they can better protect it from attacks on their internal network, then yes that would be the way to go forward for them. They know their network best, so if they believe they have the tools necessary already in place, then they can absolutely utilize them. Most customers simply have the Portal in their internal network and use load balancer and proxies in front to aid the flow of traffic from outside to inside to the Portal, that way they maintain a tighter reign on its security. There isn't a best practice really, it's just a basic network setup. Their network team will best handle that. From the Portal side, there isn't really any configurations necessary that you need to account for, or in other words no configuration that cares whether it's in the DMZ or the internal network. It works the same either way.