We need to manage roaming devices over the internet and I am still wondering which setup would be best and which ports really need to be opened in the firewall. I cannot find much in-depth information about this in documentation (did I miss it? links appreciated!)

Four basic setup scenerios come to mind:

a) primary on corporate network, relevant ports (80/443/2645?) nat'ed on firewall
b) peer primaries on corporate network and in DMZ
c) parent primary on corporate network, child primary in DMZ
d) primary on corporate network (80/443/2645? nat'ed on firewall), satellite in DMZ (auth, content, collection roles)

In all scenarios, a VNC repeater will be placed in the DMZ and we do not want to image machines over the Internet ;-). So we only look at user/wks authentication, inventory collection and patch/bundle/policy distribution.

What do you guys do? How's your experience ith it? What do you consider best practices? Which ports did you have to open on the firewall? How do clients fail if e.g. 2645 is unreachable (e.g. because managed device is behind another firewall)?

Thanks, Lothar