A forthcoming feature will use a gateway component that resides in the DMZ to create a secure tunnel with managed clients in order to maintain manageability to internet-connected devices that are not located on your LAN, WAN, or VPN. Currently, however, there is no supported method to manage internet-connected computers. You can configure the NS in the DMZ to communicate with clients over HTTPS (using an externally-signed certificate, unless you like pain), but this is not supported. Important functionality, namely task services, will not work, and there are mixed results on getting site services to work for large implementations.