I have done this - and it works well for mobile devices outside the network. However you mentioned the following which will not work:
. If I use the agent handler I should also be able to get the logs of the agents that update externally.
Most offsite devices are behind NATed IP's and will not allow you to see their agent web logs. They will however send all of their threat events to the AH, and will get policies immediately instead of waiting until they come back to the office. Its all very easy with the following two considerations:
1) Any patch or version upgrades of ePO MUST also be done to the agent handler (ePO Server 1st, AH second) during this time the AH services must be stopped until the master ePO server upgrade is completed.
2) The toughest part is setting up the perimeter rules to allow the agent handler to communicate back through your corporate firewall. There si documentation on this.
Thanks for the advice. Do you know if this has been used to gather information on a lost or stolen devices?