You should administer your firewall an open few ports.
Have a look at your ePo Configuration:
Configuration -> Server Settings -> Ports
Firewall rule DMZ -> ePo Server
Agent-to-server communication port: 80 (Standard)
Firewall rule ePo -> DMZ
Agent wake-up communication port:8081 (Standard)
Agent broadcast communication port:8082 (Standard)
See also KB66797:
Just to expand on this a little:
If you are using ePO 4.5 and MA 4.5, then you need to open the Agent To Server Secure Communication Port (443 by default) from the DMZ to the ePO server
You only need to open the Agent Broadcast Communication Port (82 by default) if the agent in the DMZ is a superagent.
If you are using ePO 4.5 - Agent Handler implementation is a secure way to distribute products and updates for clients in DMZ and internet.
We are also looking at using Agent Handlers to manage machines in various network zones but the fact that the AH needs direct access to the SQL server is offputting. It is obviously not primarily designed as a connection point in hostile networks but as a way to load balance agent connections for scalability purposes.
In a properly DMZ friendly setup no connections should be allowed from the less secure (e.g. DMZ, internet etc) into a more secure (intranet, ASZ etc) zone and certainly not the raw SQL protocol.
We now have to look at implementing reverse proxies or other ways of tunnelling the connection.