We have an internet facing agent handling for all of our mobile force. No real problems. The only thing that was a bit confusing was setting up the rules for which agent handler to connect to. Since computers may get the same ip range on a different network, we chose to do the most simple thing and that was to say try the internal facing epo agent first and if it fails then try the agent handler. This also works as a backup in case i shutdown the primary epo server or it has problems then computers will have a backup to the internet facing one.. We found no real security issues with the setup. The computers communicate with SSL and you must have the epo agent from the server in order to communicate to it. Only make the ports that need to communicate to the agent handler open through your firewall.