Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
http://www.symantec.com/business/support/index?page=content&id=TECH178325
The biggest pro is that you can still manage clients while they're off the network by havig them connect to your SEPM. You will still be able to view logs, push updates, etc.
The biggest con is that you are more susceptible to attackers as per the article:
DMZ's are accessible from the Internet, so it is possible for someone to attempt to access (hack) into the server system that is running the SEPM through other vulnerabilities in the OS or other software running on that server. If successful, they might be able to access SEP database, which contains information about every computer in the company's organization that is defended by SEP. This includes the IP address, computer name and SEP version they are running (some older releases of SEP have known vulnerabilities) or which SEP clients have AutoProtect disabled or which clients have no firewall enabled.
For these reasons, Symantec recommends hardening the operating system on the server where Symantec Endpoint Protection Manager will be installed.