you plan seems to work. on the security side, agent handler requires connection to both your ePO server as well as database server. is that acceptable to your organization? we are planning to have our extranet with different forest and sql server to support, SFTP, ePO Master Repository and Window Server Update Services. also you need to add the public ip address to the list of repositories and client agent should have this information before hand. you may also need to delete McAfee HTTP and FTP repositories to make sure that the agent updates only from your internal server or agent handler.
these are my two cents. wait till more authorities in this matter respond :-) also, post back your experience. as I mentioned, we are also looking for this possibility except home users scenario.
what I am hoping will work is when an agent with an unknown IP checks in to the agent handler they will be moved to the lost and found group and then have a policy for there to say the agent settings should get their dat updates from mcafee http. I do not want the external clients getting dats from the internal server as I dont want to tie up precious bandwidth????