Even if your clients are in the WAN and the SEPM server can't talk directly to them, almost all of the features still work. The clients still report in to the SEPM, they still get virus definitions and policy updates, etc. We have tons of clients setup this way and it works great. Clients check-in at their heartbeat interval, update their logs and status to the SEPM, download policies and defs (or get them from a GUP in their remote location) and everything is fine.