Here's two ways to do what you want:
First the fast and dirty hack:
Get
MyEnTunnel
Install it on your windows server.
Configure user account on your zimbra server for SSH access.
Forward ldap port from windows server to zimbra server using MyEnTunnel and the user you just created.
You want remote tunnel mode for this, lets say you forward 389:127.0.0.1:55389
Notice we're not encrypting LDAP traffic, it's not neccessary since we're using SSH to encrypt the traffic between windows and linux.
Now configure external authentication for active directory as you would when the AD is in local network(search this forum for howto), just give the bind address as ldap://127.0.0.1:55389
Downsides:
You need to be logged in on the windows server for myentunnel to run/open the login tunnel. (Just connect with remote desktop, and lock screen)
----end of first way ----
Now the proper way:
(vague explaination, sorry, you'll probably have to google how to do alot of these steps)
Configure CA services on Windows server.
Create certificate for your windows server, export it and also export the CA cert.
Import the certificates to all the neccessary certificate stores on zimbra server. (java/tomcat/jetty/others?)
(you probably need to do that step every time you upgrade zimbra)
Enable ldaps on windows. You need ldaps for the traffic to be encrypted here.
Port forward the 636 port from the network where the AD is to public ip.
Create firewall rule to permit zimbra server to access to that public ip/port 636.
Configure zimbra to use ldaps://public-ip:636 as external authentication source
Downsides:
This way is PITA to configure(read: takes somewhere from 8-40 hours to get working), but it doesn't require you to be logged on the windows server.
Bugzilla
Wiki
Source
External Authentication via Active Directory on a Separate Network 
Linear Mode
