There are a couple of ways to manage mobile workers with regard to Symantec EndPoint Protection. The first is use location awareness. Location awareness allows you to set one set of policies when users are in one location and a separate set of policies when they are in a different location.
Typically when I set up location awareness I set up two locations. One for inside the office and one for outside the office. I apply these locations to the client group where my mobile workers reside.
One example, is that my inside the office LiveUpdate policy only uses the Management Server to obtain definition updates. The benefit here is that the definitions are only downloaded from the internet once. My outside the office LiveUpdate policy tells the EndPoint clients to go directly to the internet for definitions.
The second method I use to manage mobile workers is to publish my Symantec Management server onto the internet. This requires opening one port on your firewall and NATing it from a public IP to the private IP of the SEPM server. It also requires that you add the public IP of SEPM to the Management Server List and then sending sending out the new SYLINK file. The benefit of this is that if you have road warriors or people who rarely, if ever, come into the office you can still see the full health of their SEP client and computer and still manage the client with policies. For more information check the link here.