Can you verify the last check-in time for these machines to see if they are able to access ePO server? I can think of some issues if they cannot resolve the ePO server in DNS for example from outside. Do they ever use VPN? If not, usually a Secure Agent Handler is advised for off-network hosts to communicate in.
I'd deploy eego to one of the endpoints and take a look at the data channel test - you may have a firewall/nat issue affecting the data channel.