I just finished building a ePO server in the DMZ to host a cloud based solution we have. It was really easy.
So I have a server that sits in the security POD as we call it. Got a VIP created for it. So now the server has an internal and external IP. But still only has 1 phyiscal connect to the network (not dual homed) We have a F5 the manages the external connections and load balancing. So in the F5 it is configured that any traffic comming in to the VIP routes to the interla IP wich is the ePO server. For obvious security reasons only port 443 can connect to the VIP and be routed in. No outbound traffic can be generated only inbound.
FYI the ePO db is locate on a separate server internally to the network. Do not want a DB facing externally.
Then I cretaed an agent handler (the ePO server)and added to the top of the list using the VIP address. Now I have an agent that knows how to commicated over the Internet to the ePO server on port 443 only.
So communication can only be intiated by the Agent. So I can not do wakeup calls but that is fine. Changed the ASCI to 10 minutes