Hi,
Establishing a site-to-site VPN tunnel is the best option. It allows the SEP clients to be managed like any other clients on the internal network. However, site-to-site VPN tunnel may not always be possible and sometimes, the risk of passing SEP traffic through external network may be acceptable. This document explains how to achieve this without a site-to-site VPN tunnel.
How to allow Symantec Endpoint Protection clients in a remote location to be managed by a Symantec Endpoint Protection Manager that's behind a NAT device
http://www.symantec.com/docs/TECH93033
Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
http://www.symantec.com/docs/TECH178325
Security recommendations regarding SEP client installed on server located in DMZ
http://www.symantec.com/docs/TECH122858
Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
http://www.symantec.com/business/support/index?page=content&id=TECH178325