SML, thanks for the answer.
So its fully acceptable for a WDE only client to talk to the UN over the Internet to download policies and upload logs over 443/SSL.
Using Home user was a bad term, its to supp port mobile and home users.
I guess then the Server name in the policy (Keys.Domain.com) will need to be the same for internal and external as they could be laptops that work internally and go externally.
Unfortunately there is no VPN so cannot connect that way life would be simple if that was there.
Maybe I should get CSTL to do a few days consultancy for me.