Hello,
We've done some research into making SEPM available over the internet, including review of multiple other forum posts and KB articles:
https://support.symantec.com/en_US/article.TECH93033.html
https://support.symantec.com/en_US/article.TECH178325.html
Based on this reading and those postings, we're considering the following to allow clients to communicate both on- and off-network, as we have systems that come and go, some that are always on the company network, and others that are almost never connected to the company network. Our goal is to allow clients to continue to communicate as they come and go. We've considered setting up an instance in the DMZ and configuring replication, but I think there's a better way to go about it.
Configure internal and external DNS entries for sep.company.com or similar. Those DNS entries will point to the internal address for SEPM for internal DNS and the external IP (to be NATed) for the external DNS entry. 8014 would be open for that one public IP. Clients would be left in push mode (is there a reason that pull is recommended for this?) as they should be able to reach the server as long as they have an internet connection; this would require a change in sylink for clients, which could be done remotely with other tools. None of the management and reporting ports would be open to the internet. Has anyone architected similar with success or gone about tackling this problem in a different way that they would recommend?