Thank you akill. I'll look into how to implement this into my network. The video is a nice added touch too and I really appreciate it.
in my opinion you should talk to your firewall admin guy first (as you will have to open some ports - regardless of what setup you chose).
Then: I think a remote Agent Handler is mainly for systems that are OUTSIDE your network (e.g. internet) and have to talk to ePO. So they'll talk to the Agent Handler (AH) instead (client in internet > AH > ePO DB).
For systems INSIDE your DMZ it should be enough to open the ports from/to ePO - or - if you don't like that you could go for an additional repository (for DATs) or set up an Super Agent or even a relay agent in your DMZ (check out the ePO product guide).
And btw: If your agents talk to epo via Port 80/443 and you have some Proxy in place - or may be doing "SSL interception / inspection" on your firewall e.g. - than this could break the communication (proxy: maybe, SSL interception: sure). So you'll have to configure some exclusions.