Thanks for your quick reply, John. That is usually how I do things, but the client is insistent that the clients must update from their internal server if possible despite my recommendation. I will still recommend doing things the way you have suggested, but want to know what is possible so I can give them an accurate report.
The client has set up a DNS CNAME, dc-sep.domainname.org, to point to the server from both internally and externally. Is there any way to configure the clients to connect to this? Would I need to set up LU on the server, and would this work as I expect?
Edit: Additionally, is there a way I can make clients REPORT back to the internal server when they are outside the network ? I feel this is more important than where they receive their updates from.