When you have your SEP infrastructure in your network available, why not put a redirect on your external firewall or a load balancer etc. on the edge to provide access for your clients to the SEP infrastructure. Or you could setup a SEPM in DMZ.
In general you can do a authentication based on a certificate or others methods to secure the access to your SEP Infrastructure.
In that way you can manage your clients even when they are connected to the Internet, without a VPN or anything.
Based on your SEP Policies you can use locations to setup specifc management server lists for your locations like Internet gets the one with the external DNS/IP etc.
Regarding locations the following article you may like.
https://www-secure.symantec.com/connect/articles/use-case-location-awareness-and-network-threat-protection-sep-1112
Then there is another possibility, but for this probably you would need Professional Services. This would be based on a webserver like apache that is a caching server for your internal SEPM on the edge.
Hope this helps
cheers toby