"Thumbs Up" to Brian for his links.
The management of External SEP clients is possible, and my recommendation would be to pursue the implmentation of an additional SEP Server and Site, situated in the the DMZ. This additional site would replicate configuration data and logs with the internal/main SEP Server/Site.
Clients should be enabled for Location Awareness, and use a MSL that points at the DMZ SEPM's externally resolvable address in the "external" location.
Another option is to use a revrese/inbound proxy if you have one handy...
I'd generally recommend against exposing your primary SEPM to the internet (depending on your environment and requirements)