That's dissapopinting to hear, but I'm gratified to know that you are working on a solution.
Incidentally, have you considered simply adding a "proxy round robin" system (like the one I described in my first post) to the client? If it's a setting you can add in the Altiris client settings, then you don't need to get overly complicated with the NS and involve any kind of network trickery. You might need to add an update to the site servers to allow for encrypted communication, but other than that it could be a very simple setup indeed.
In the meantime we can't patch our mobile users, so I hope that a quick fix is incoming. I'm not looking forward to telling my boss.