I did some more tests and it seems that the mentioned statement is not valid (or not valid anymore, I did these tests on MX 15.33):
I installed a new web-server on my server-LAN and placed the eicar test-files in the Web-directory.
Test1) Accessed it from a PC in the user-LAN: MX blocked the download.
Test2) Connected with a client-VPN and accessed the file (so this is the original question): The MX blocked the download!
Test3) Accessed the file from a PC that comes through a 3rd party VPN: This one was very strange. The Download was allowed (AMP 4 Endpoint directly kicked in) but the MX Security Center logged a "Blocked" action which was obviously not done.
Test4) Configured a port forwarding from the internet to the web-server and accessed the file. Same as with Test3, the download was allowed but the Security Center says "Blocked".
Later ... (you should not do tests like these while doing parallel other stuff)
Only Test1 was an AMP-Block, the other events in the Security-Center came from IPS as there is also a signature for Eicar.