Moved to ePO for faster handling.
It should be working if its correctly setup. Another option, if available in your environment, is to setup a proxy via the McAfee Agent > Repository policy, then your agents outside your internal network could get updated via your internal sources.
I've already selected the second option to ePO. But the customer requirement is to set up the third priority to Internet. And my testing is getting failed for that.
I might be stating the obvious here but are the proxy setting configured correctly in the repository policy so that they can update when connected to the network but when the AH is down ? Can they reach the proxy ?
If they can't reach the proxy when connected to VPN, then that setting might cause an issue when not connected to the vpn: vpn is off, proxy is not available, fallback site won't work.